2 * Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/types.h>
23 #include <unordered_set>
27 #include <app_install_helper.h>
28 #include <cynara_test_admin.h>
29 #include <dpl/test/test_runner.h>
30 #include <dpl/test/test_runner_child.h>
31 #include <pkg_privacy_privileges.h>
32 #include <policy_configuration.h>
33 #include <scoped_installer.h>
35 #include <sm_commons.h>
36 #include <sm_policy_request.h>
37 #include <sm_request.h>
38 #include <synchronization_pipe.h>
39 #include <temp_test_user.h>
40 #include <tests_common.h>
42 using namespace SecurityManagerTest;
49 // Privileges required for having permission to self/admin get/set policies.
50 const std::string SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
51 const std::string ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
53 typedef std::vector<std::string> Privileges;
54 const std::vector<Privileges> TEST_PRIVILEGES = {
56 "http://tizen.org/privilege/internet",
57 "http://tizen.org/privilege/display"
60 "http://tizen.org/privilege/telephony",
61 "http://tizen.org/privilege/datasharing"
64 "http://tizen.org/privilege/content.write",
65 "http://tizen.org/privilege/led",
66 "http://tizen.org/privilege/email"
69 "http://tizen.org/privilege/led",
70 "http://tizen.org/privilege/email",
71 "http://tizen.org/privilege/telephony",
72 "http://tizen.org/privilege/datasharing"
75 "http://tizen.org/privilege/internet",
76 "http://tizen.org/privilege/display",
77 "http://tizen.org/privilege/led",
78 "http://tizen.org/privilege/email"
82 const PrivilegeVector TEST_PRIVACY_PRIVILEGES[] = {
84 Privilege("http://tizen.org/privilege/telephony"),
85 Privilege("http://tizen.org/privilege/led"),
86 Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY),
87 Privilege("http://tizen.org/privilege/account.read", Privilege::PRIVACY),
88 Privilege("http://tizen.org/privilege/healthinfo", Privilege::PRIVACY),
91 Privilege("http://tizen.org/privilege/telephony"),
92 Privilege("http://tizen.org/privilege/led"),
93 Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY),
99 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
101 RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
103 TemporaryTestUser tmpUser("sm_test_10_user_name", GUM_USERTYPE_NORMAL, false);
106 unsigned expectedPolicyCount = 0;
107 std::map<std::string, AppInstallHelper> appIdToAIH;
108 for (unsigned i = 0; i < TEST_PRIVILEGES.size(); i++) {
109 AppInstallHelper app("sm_test_10_" + std::to_string(i), tmpUser.getUid());
110 app.addPrivileges(TEST_PRIVILEGES[i]);
111 expectedPolicyCount += app.getPrivileges().size();
112 appIdToAIH.emplace(app.getAppId(), std::move(app));
115 AppInstallHelper privManager("sm_test_10_privilege_manager", tmpUser.getUid());
116 std::string privManagerAppId = privManager.getAppId();
117 privManager.addPrivilege(SELF_PRIVILEGE);
118 expectedPolicyCount += privManager.getPrivileges().size();
119 appIdToAIH.emplace(privManager.getAppId(), std::move(privManager));
121 std::vector<ScopedInstaller> scopedInstallations;
122 for (const auto &appIdAIH : appIdToAIH) {
123 scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second));
127 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
128 if (pid != 0) { //parent process
130 } else { //child process
131 Api::setProcessLabel(privManagerAppId);
132 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
133 "drop_root_privileges failed");
135 std::vector<PolicyEntry> policyEntries;
136 Api::getPolicy(PolicyEntry(), policyEntries);
138 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
139 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
140 "Number of policies doesn't match - should be: " << expectedPolicyCount
141 << " and is " << policyEntries.size());
143 for (const auto &policyEntry : policyEntries) {
144 std::string user = policyEntry.getUser();
145 std::string app = policyEntry.getAppId();
146 std::string privilege = policyEntry.getPrivilege();
148 RUNNER_ASSERT_MSG(user == tmpUser.getUidString(), "Unexpected user: " << user);
150 auto appIt = appIdToAIH.find(app);
151 RUNNER_ASSERT_MSG(appIt != appIdToAIH.end(), "Policy returned unexpected app: " << app);
153 AppInstallHelper &aih = appIt->second;
154 auto appPrivileges = aih.getPrivilegesNames();
155 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
156 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
157 "Unexpected privilege " << privilege << " for app " << app);
163 RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
165 const std::string normalNameToSwitch = "sm_test_11_user_name_normal";
166 const std::vector<UserInfo> userInfos = {{normalNameToSwitch, GUM_USERTYPE_NORMAL},
167 {"sm_test_11_user_name_admin", GUM_USERTYPE_ADMIN}};
169 std::map<std::string, TemporaryTestUser> usernameToTTU;
170 // uid + app_id -> AppInstallHelper (different users can have same app_id installed)
171 std::map<std::pair<uid_t,std::string>, AppInstallHelper> userAppIdToAIH;
172 unsigned expectedPolicyCount = 0;
174 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
175 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
178 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
179 AppInstallHelper app("sm_test_11_" + std::to_string(p_i), user.getUid());
180 app.addPrivileges(TEST_PRIVILEGES[p_i]);
181 if (user.getUserName() == normalNameToSwitch) // Only entries for this user should be fetched
182 expectedPolicyCount += app.getPrivileges().size();
183 userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
186 usernameToTTU.emplace(userInfos[u_i].userName, std::move(user));
189 TemporaryTestUser &normalUserToSwitch = usernameToTTU.at(normalNameToSwitch);
191 AppInstallHelper privManager("sm_test_11_priv_manager", normalUserToSwitch.getUid());
192 std::string privManagerAppId = privManager.getAppId();
193 privManager.addPrivilege(SELF_PRIVILEGE);
194 expectedPolicyCount += privManager.getPrivileges().size();
195 userAppIdToAIH.emplace(std::make_pair(normalUserToSwitch.getUid(), privManager.getAppId()),
196 std::move(privManager));
198 std::vector<ScopedInstaller> scopedInstallations;
199 for (const auto &userAppIdAIH : userAppIdToAIH) {
200 scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
204 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
205 if (pid != 0) { //parent process
207 } else { //child process
208 Api::setProcessLabel(privManagerAppId);
209 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(),
210 normalUserToSwitch.getGid()) == 0,
211 "drop_root_privileges failed");
213 std::vector<PolicyEntry> policyEntries;
214 Api::getPolicy(PolicyEntry(), policyEntries);
216 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
217 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
218 "Number of policies doesn't match - should be: " << expectedPolicyCount
219 << " and is " << policyEntries.size());
221 for (const auto &policyEntry : policyEntries) {
222 // Expect policy only for current process user
223 std::string user = policyEntry.getUser();
224 std::string app = policyEntry.getAppId();
225 std::string privilege = policyEntry.getPrivilege();
227 RUNNER_ASSERT_MSG(normalUserToSwitch.getUidString() == user, "Unexpected user: " << user);
228 auto userAppIdToAIHIt = userAppIdToAIH.find(std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
229 RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
230 "Unknown app " << app << " for user " << user);
232 AppInstallHelper &aih = userAppIdToAIHIt->second;
233 auto privs = aih.getPrivileges();
235 auto appPrivileges = aih.getPrivilegesNames();
236 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
237 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
238 "Unexpected privilege " << privilege << " for app " << app);
244 RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
246 std::vector<PolicyEntry> oldPolicyVec;
247 Api::getPolicy(PolicyEntry(), oldPolicyVec);
248 std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
250 std::string adminNameToSwitch = "sm_test_12_user_name_admin";
251 const std::vector<UserInfo> userInfos = {{"sm_test_12_user_name_normal",GUM_USERTYPE_NORMAL},
252 {adminNameToSwitch, GUM_USERTYPE_ADMIN}};
254 std::map<std::string, TemporaryTestUser> usernameToTTU;
255 std::vector<std::string> uidStrings;
256 // uidstring + app_id -> AppInstallHelper
257 std::map<std::pair<uid_t, std::string>, AppInstallHelper> userAppIdToAIH;
258 unsigned expectedPolicyCount = oldPolicyVec.size();
260 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
261 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
263 uidStrings.push_back(user.getUidString());
265 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
266 AppInstallHelper app("sm_test_12_" + std::to_string(p_i), user.getUid());
267 // Shift privileges, so same app_id for different users doesn't have same privileges
268 app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
269 expectedPolicyCount += app.getPrivileges().size();
270 userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
272 usernameToTTU.emplace(user.getUserName(), std::move(user));
275 TemporaryTestUser &adminUserToSwitch = usernameToTTU.at(adminNameToSwitch);
277 AppInstallHelper privManager("sm_test_12_priv_manager", adminUserToSwitch.getUid());
278 std::string privManagerAppId = privManager.getAppId();
279 privManager.addPrivilege(SELF_PRIVILEGE);
280 privManager.addPrivilege(ADMIN_PRIVILEGE);
281 expectedPolicyCount += privManager.getPrivileges().size();
283 userAppIdToAIH.emplace(std::make_pair(adminUserToSwitch.getUid(), privManager.getAppId()),
284 std::move(privManager));
286 std::vector<ScopedInstaller> scopedInstallations;
287 for (const auto &userAppIdAIH : userAppIdToAIH) {
288 scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
292 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
293 if (pid != 0) { //parent process
295 } else { //child process
296 Api::setProcessLabel(privManagerAppId);
297 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
298 adminUserToSwitch.getGid()) == 0,
299 "drop_root_privileges failed");
301 std::vector<PolicyEntry> policyEntries;
302 Api::getPolicy(PolicyEntry(), policyEntries);
303 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
304 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
305 "Number of policies doesn't match - should be: " << expectedPolicyCount
306 << " and is " << policyEntries.size());
308 for (const auto &policyEntry : policyEntries) {
309 // Expect policy for all users to be returned
310 if (oldPolicySet.count(policyEntry))
312 std::string user = policyEntry.getUser();
313 std::string app = policyEntry.getAppId();
314 std::string privilege = policyEntry.getPrivilege();
316 auto uidStringIt = std::find(uidStrings.begin(), uidStrings.end(), user);
317 RUNNER_ASSERT_MSG(uidStringIt != uidStrings.end(), "Unexpected user: " << user);
319 auto userAppIdToAIHIt = userAppIdToAIH.find(
320 std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
321 RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
322 "Unknown app " << app << " for user " << user);
324 AppInstallHelper &aih = userAppIdToAIHIt->second;
325 auto privs = aih.getPrivileges();
327 auto appPrivileges = aih.getPrivilegesNames();
328 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
329 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
330 "Unexpected privilege " << privilege << " for app " << app);
336 RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
338 std::string normalName = "sm_test_13_user_name_normal";
339 std::string adminName = "sm_test_13_user_name_admin";
340 const std::vector<UserInfo> userInfos = {{normalName,GUM_USERTYPE_NORMAL},
341 {adminName, GUM_USERTYPE_ADMIN}};
343 std::map<std::string, TemporaryTestUser> usernameToTTU;
344 std::map<uid_t, std::vector<AppInstallHelper>> uidToAIHs;
345 unsigned expectedPolicyCount = 0;
346 std::string privManagerAppId;
348 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
349 //Only entries for one of the users will be listed
350 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
353 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
354 AppInstallHelper app("sm_test_13_" + std::to_string(p_i), user.getUid());
355 // Shift privileges, so same app_id for different user doesn't have same privileges
356 app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
357 expectedPolicyCount += app.getPrivileges().size();
358 uidToAIHs[user.getUid()].emplace_back(std::move(app));
360 AppInstallHelper privManager("sm_test_13_priv_manager", user.getUid());
361 privManagerAppId = privManager.getAppId();
362 privManager.addPrivilege(SELF_PRIVILEGE);
363 expectedPolicyCount += privManager.getPrivileges().size();
364 uidToAIHs[user.getUid()].emplace_back(std::move(privManager));
366 usernameToTTU.emplace(user.getUserName(), std::move(user));
369 std::vector<ScopedInstaller> scopedInstallations;
370 for (const auto &userAIHs : uidToAIHs) {
371 for (const auto &aih : userAIHs.second)
372 scopedInstallations.emplace_back(ScopedInstaller(aih));
375 TemporaryTestUser &adminUser = usernameToTTU.at(adminName);
376 TemporaryTestUser &normalUser = usernameToTTU.at(normalName);
379 RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
380 if (pid == 0) { //child #1 process
381 Api::setProcessLabel(privManagerAppId);
382 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0,
383 "drop_root_privileges failed");
384 auto &app1 = uidToAIHs[normalUser.getUid()][0];
385 auto &app2 = uidToAIHs[normalUser.getUid()][0];
386 PolicyRequest policyRequest;
387 PolicyEntry policyEntry(
389 normalUser.getUidString(),
390 app1.getPrivileges()[0]
392 policyEntry.setLevel("Deny");
394 policyRequest.addEntry(policyEntry);
395 policyEntry = PolicyEntry(
397 normalUser.getUidString(),
398 app1.getPrivileges()[1]
400 policyEntry.setLevel("Deny");
401 policyRequest.addEntry(policyEntry);
402 Api::sendPolicy(policyRequest);
408 RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
409 if (pid == 0) { //child #2 process
410 Api::setProcessLabel(privManagerAppId);
411 // Admin user, but in context of app, which doesn't have usermanagement privilege
412 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
413 "drop_root_privileges failed");
415 PolicyEntry filter = PolicyEntry(
416 SECURITY_MANAGER_ANY,
417 normalUser.getUidString(),
420 std::vector<PolicyEntry> policyEntries;
421 //U2 requests contents of U1 privacy manager - should fail
422 Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
423 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
424 << policyEntries.size() << " entries");
426 filter = PolicyEntry(
427 SECURITY_MANAGER_ANY,
428 SECURITY_MANAGER_ANY,
432 policyEntries.clear();
434 //U2 requests contents of ADMIN bucket - should fail
435 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
436 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
437 << policyEntries.size() << " entries");
445 RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
447 TemporaryTestUser adminUserToSwitch("sm_test_14_user_name_admin", GUM_USERTYPE_ADMIN);
448 adminUserToSwitch.create();
450 AppInstallHelper privManager("sm_test_14_priv_manager", adminUserToSwitch.getUid());
451 privManager.addPrivilege(ADMIN_PRIVILEGE);
453 ScopedInstaller privManagerInstall(privManager);
458 } else { //child process
459 Api::setProcessLabel(privManager.getAppId());
460 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
461 adminUserToSwitch.getGid()) == 0,
462 "drop_root_privileges failed");
464 PolicyRequest setPolicyRequest;
465 std::vector<PolicyEntry> policyEntries;
467 const std::string internetPriv = "http://tizen.org/privilege/internet";
468 const std::string displayPriv = "http://tizen.org/privilege/display";
470 PolicyEntry internetPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, internetPriv);
471 internetPolicyEntry.setMaxLevel("Deny");
472 setPolicyRequest.addEntry(internetPolicyEntry);
474 PolicyEntry displayPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, displayPriv);
475 displayPolicyEntry.setMaxLevel("Deny");
476 setPolicyRequest.addEntry(displayPolicyEntry);
478 Api::sendPolicy(setPolicyRequest);
480 Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
481 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2"
482 " and is " << policyEntries.size());
484 PolicyRequest delPolicyRequest;
486 internetPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
487 delPolicyRequest.addEntry(internetPolicyEntry);
489 displayPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
490 delPolicyRequest.addEntry(displayPolicyEntry);
492 Api::sendPolicy(delPolicyRequest);
494 policyEntries.clear();
495 Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
496 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0"
497 " and is " << policyEntries.size());
502 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
504 const std::string updatePriv = "http://tizen.org/privilege/led";
506 TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
509 AppInstallHelper updatedApp("security_manager_15_update");
510 ScopedInstaller updatedAppInstall(updatedApp);
512 AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
513 privManager.addPrivilege(ADMIN_PRIVILEGE);
514 ScopedInstaller privManagerInstall(privManager);
517 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
518 if (pid != 0) { //parent process
520 CynaraTestAdmin::Admin admin;
521 admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(),
522 adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
525 Api::setProcessLabel(privManager.getAppId());
527 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
528 "drop_root_privileges failed");
530 PolicyEntry entry(updatedApp.getAppId(), adminUser.getUidString(), updatePriv);
531 entry.setMaxLevel("Allow");
532 PolicyRequest addPolicyRequest;
533 addPolicyRequest.addEntry(entry);
534 Api::sendPolicy(addPolicyRequest);
539 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
541 const std::string updatePriv = "http://tizen.org/privilege/led";
543 TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
546 AppInstallHelper app("security_manager_15");
547 ScopedInstaller appInstall(app);
549 AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
550 privManager.addPrivilege(ADMIN_PRIVILEGE);
551 ScopedInstaller privManagerInstall(privManager);
554 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
557 CynaraTestAdmin::Admin admin;
558 admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(),
559 adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
562 Api::setProcessLabel(privManager.getAppId());
563 RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
564 "drop_root_privileges failed");
566 PolicyEntry entry(SECURITY_MANAGER_ANY, adminUser.getUidString(), updatePriv);
567 entry.setMaxLevel("Allow");
569 PolicyRequest addPolicyRequest;
570 addPolicyRequest.addEntry(entry);
571 Api::sendPolicy(addPolicyRequest);
576 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
578 const std::string updatePriv = "http://tizen.org/privilege/led";
580 TemporaryTestUser user("sm_test_15_username", GUM_USERTYPE_NORMAL);
583 AppInstallHelper app("security_manager_15");
584 ScopedInstaller appInstall(app);
586 AppInstallHelper privManager("security_manager_15_priv_manager", user.getUid());
587 privManager.addPrivilege(SELF_PRIVILEGE);
588 ScopedInstaller privManagerInstall(privManager);
591 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
594 CynaraTestAdmin::Admin admin;
595 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
596 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
598 Api::setProcessLabel(privManager.getAppId());
599 RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
600 "drop_root_privileges failed");
602 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
603 entry.setLevel("Allow");
605 PolicyRequest addPolicyRequest;
606 addPolicyRequest.addEntry(entry);
607 Api::sendPolicy(addPolicyRequest);
612 RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
614 TemporaryTestUser user("sm_test_16_user_name", GUM_USERTYPE_NORMAL);
618 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
622 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
623 "drop_root_privileges failed");
627 int ret = security_manager_policy_levels_get(&levels, &count);
628 RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
629 "Invlid return code: " << ret);
630 std::unique_ptr<char *, std::function<void(char**)>> descriptionsPtr(levels,
631 [count](char **levels) { security_manager_policy_levels_free(levels, count);});
633 RUNNER_ASSERT_MSG(count >= 2, "Invalid number of policy levels. Should be 3,"
634 " instead there is: " << count);
636 std::string denyPolicy = std::string(levels[0]);
637 std::string allowPolicy = std::string(levels[count-1]);
639 // first should always be Deny
640 RUNNER_ASSERT_MSG(denyPolicy.compare("Deny") == 0,
641 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
643 // last should always be Allow
644 RUNNER_ASSERT_MSG(allowPolicy.compare("Allow") == 0,
645 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
650 RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self)
652 const std::string updatePriv = "http://tizen.org/privilege/led";
654 TemporaryTestUser user("sm_test_17a_username", GUM_USERTYPE_NORMAL);
657 AppInstallHelper app("security_manager_17a");
658 ScopedInstaller appInstall(app);
660 SynchronizationPipe synchPipe;
662 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
664 synchPipe.claimParentEp();
667 CynaraTestAdmin::Admin admin;
668 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
669 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
673 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
674 updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
677 synchPipe.claimChildEp();
678 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
679 "drop_root_privileges failed");
681 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
682 entry.setLevel("Allow");
683 PolicyRequest addPolicyRequest;
684 addPolicyRequest.addEntry(entry);
685 Api::sendPolicy(addPolicyRequest);
689 PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
690 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
691 PolicyRequest deletePolicyRequest;
692 deletePolicyRequest.addEntry(deleteEntry);
693 Api::sendPolicy(deletePolicyRequest);
700 RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self)
702 const std::string updatePriv = "http://tizen.org/privilege/led";
704 TemporaryTestUser user("sm_test_17b_username", GUM_USERTYPE_NORMAL);
707 AppInstallHelper app("security_manager_17b");
708 ScopedInstaller appInstall(app);
710 AppInstallHelper privManager("security_manager_17b_priv_manager", user.getUid());
711 privManager.addPrivilege(SELF_PRIVILEGE);
712 ScopedInstaller privManagerInstall(privManager);
714 SynchronizationPipe synchPipe;
716 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
718 synchPipe.claimParentEp();
720 CynaraTestAdmin::Admin admin;
721 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
722 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
726 admin.adminCheck("", false, app.generateAppLabel().c_str(),
727 user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
731 synchPipe.claimChildEp();
732 Api::setProcessLabel(privManager.getAppId());
733 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
734 "drop_root_privileges failed");
736 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
737 entry.setLevel("Allow");
738 PolicyRequest addPolicyRequest;
739 addPolicyRequest.addEntry(entry);
740 Api::sendPolicy(addPolicyRequest);
744 PolicyRequest deletePolicyRequest;
745 PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
746 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
747 deletePolicyRequest.addEntry(deleteEntry);
748 Api::sendPolicy(deletePolicyRequest);
754 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
756 const std::string username("sm_test_17_user_name");
757 std::vector<AppInstallHelper> appHelpers;
758 std::vector<ScopedInstaller> scopedInstallations;
759 std::map<std::string, unsigned> privToCount;
760 unsigned policyCount = 0;
762 TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
765 for (unsigned int i = 0; i < TEST_PRIVILEGES.size(); i++) {
766 AppInstallHelper app("sm_test_17_" + std::to_string(i), user.getUid());
767 app.addPrivileges(TEST_PRIVILEGES[i]);
768 policyCount += app.getPrivileges().size();
770 appHelpers.emplace_back(std::move(app));
771 for (auto &priv: TEST_PRIVILEGES[i]) {
776 AppInstallHelper privManager("sm_test_17_priv_manager", user.getUid());
777 std::string privManagerAppId = privManager.getAppId();
778 privManager.addPrivilege(SELF_PRIVILEGE);
779 privToCount[SELF_PRIVILEGE]++;
780 policyCount += privManager.getPrivileges().size();
782 appHelpers.emplace_back(std::move(privManager));
783 for (const auto &app : appHelpers)
784 scopedInstallations.emplace_back(std::move(ScopedInstaller(app)));
787 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
788 if (pid != 0)//parent process
792 Api::setProcessLabel(privManagerAppId);
793 RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
794 "drop_root_privileges failed");
796 for (const auto &privCount : privToCount) {
797 std::vector<PolicyEntry> policyEntries;
798 PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, privCount.first);
799 Api::getPolicy(filter, policyEntries);
800 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
801 RUNNER_ASSERT_MSG(policyEntries.size() == privCount.second,
802 "Number of policies doesn't match - should be: " << privCount.second
803 << " and is " << policyEntries.size());
806 for (const auto &app : appHelpers) {
807 std::vector<PolicyEntry> policyEntries;
808 PolicyEntry filter(app.getAppId(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
809 Api::getPolicy(filter, policyEntries);
810 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
811 RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
812 "Number of policies doesn't match - should be: " << app.getPrivileges().size()
813 << " and is " << policyEntries.size());
816 std::vector<PolicyEntry> policyEntries;
817 PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
818 Api::getPolicy(filter, policyEntries);
819 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
820 RUNNER_ASSERT_MSG(policyEntries.size() == policyCount,
821 "Number of policies doesn't match - should be: " << policyCount
822 << " and is " << policyEntries.size());
828 RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove)
830 const std::string askUserDescription = "Ask user";
831 TemporaryTestUser user("sm_test_18_username", GUM_USERTYPE_NORMAL);
834 AppInstallHelper app("sm_test_18", user.getUid());
835 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
837 PolicyEntry filter (app.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
838 std::vector<PolicyEntry> policyEntries;
840 PkgPrivacyPrivileges setupPrivacyPrivs(app);
841 ScopedInstaller installer(app);
842 unsigned int privacyNum = countPrivacyPrivileges(app.getPrivileges());
844 Api::getPolicy(filter, policyEntries);
846 RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
847 "Number of policy entries doesn't match; should be " << app.getPrivileges().size()
848 << " but is " << policyEntries.size());
850 if (PolicyConfiguration::getIsAskuserEnabled() ) {
851 unsigned int privacyActNum = 0;
852 for (auto &entry : policyEntries)
853 if (isPrivilegePrivacy(entry.getPrivilege())) {
854 RUNNER_ASSERT_MSG(entry.getCurrentLevel() == askUserDescription,
855 "Invalid policy setup; policy should be \"Ask user\" but is "
856 << entry.getCurrentLevel());
859 RUNNER_ASSERT_MSG(privacyActNum == privacyNum,
860 "Should be " << privacyNum << " privacy privileges,"
861 "but is " << privacyActNum);
865 policyEntries.clear();
866 Api::getPolicy(filter, policyEntries);
867 RUNNER_ASSERT_MSG(policyEntries.size() == 0,
868 "After deinstallation, policy entries size should be 0,"
869 "but is: " << policyEntries.size());
872 void test_privacy_related_privileges(bool isHybrid) {
873 const std::string askUserDescription = "Ask user";
874 TemporaryTestUser user("sm_test_19_username", GUM_USERTYPE_NORMAL);
877 const std::string pkgId = "sm_test_19_pkg_id";
879 AppInstallHelper app1("sm_test_19_app_id_1", pkgId, user.getUid());
882 app1.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
883 PkgPrivacyPrivileges setupPrivacyPrivs1(app1);
884 ScopedInstaller installer1(app1);
886 AppInstallHelper app2("sm_test_19_app_id_2", pkgId, user.getUid());
889 app2.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
890 PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
891 ScopedInstaller installer2(app2);
893 int privacyCount1, privacyCount2;
894 if (!PolicyConfiguration::getIsAskuserEnabled()) {
897 } else if (isHybrid) {
898 privacyCount1 = countPrivacyPrivileges(app1.getPrivileges());
899 privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
901 privacyCount1 = privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
904 std::vector<PolicyEntry> policyEntries;
905 PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
906 Api::getPolicy(filter, policyEntries);
908 int privacyAct1 = 0, privacyAct2 = 0;
909 for (auto &entry : policyEntries) {
910 RUNNER_ASSERT_MSG(entry.getAppId() == app1.getAppId() || entry.getAppId() == app2.getAppId(),
911 "Invalid appId: should be either " << app1.getAppId() << " or "
912 << app2.getAppId() << " but is " << entry.getAppId());
913 if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(entry.getPrivilege())) {
914 RUNNER_ASSERT_MSG(entry.getCurrentLevel() == askUserDescription,
915 "Invalid policy setup; policy should be \"Ask user\" but is "
916 << entry.getCurrentLevel());
917 if (entry.getAppId() == app1.getAppId())
923 RUNNER_ASSERT_MSG(privacyCount1 == privacyAct1, "Should be " << privacyCount1
924 << " privacy privileges, but is " << privacyAct1);
925 RUNNER_ASSERT_MSG(privacyCount2 == privacyAct2, "Should be " << privacyCount2
926 << " privacy privileges, but is " << privacyAct2);
929 RUNNER_CHILD_TEST(security_manager_19a_privacy_manager_privacy_related_privileges_policy_hybrid)
931 test_privacy_related_privileges(true);
934 RUNNER_CHILD_TEST(security_manager_19b_privacy_manager_privacy_related_privileges_policy_no_hybrid)
936 test_privacy_related_privileges(false);
939 RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privileges_policy_admin_check)
941 const std::string askUserDescription = "Ask user";
942 TemporaryTestUser user("sm_test_20_username", GUM_USERTYPE_NORMAL);
945 AppInstallHelper app("sm_test_20", user.getUid());
946 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
948 PkgPrivacyPrivileges setupPrivacyPrivs(app);
949 ScopedInstaller installer(app);
951 CynaraTestAdmin::Admin admin;
952 int policyType = CYNARA_ADMIN_ALLOW;
953 int privacyPolicyType = -1;
954 if (PolicyConfiguration::getIsAskuserEnabled())
955 admin.getPolicyTypeForDescription(askUserDescription, privacyPolicyType);
957 for (auto &priv : app.getPrivileges()) {
958 if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(priv)) {
959 admin.adminCheck("", true, app.generateAppLabel().c_str(),
960 user.getUidString().c_str(), priv, privacyPolicyType,
963 admin.adminCheck("", true, app.generateAppLabel().c_str(),
964 user.getUidString().c_str(), priv, policyType, nullptr);
969 RUNNER_CHILD_TEST(security_manager_21_fetch_app_manifest_invalid_params)
971 int ret = security_manager_get_app_manifest_policy(nullptr, 0, nullptr, nullptr);
972 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_INPUT_PARAM, "Expected invalid input param, returned " << ret);
976 RUNNER_CHILD_TEST(security_manager_22_fetch_app_manifest_no_app)
980 int ret = security_manager_get_app_manifest_policy("not_existing_app_id", 0, &privileges, &nPrivs);
981 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "Expected no such object error, returned " << ret);
984 RUNNER_CHILD_TEST(security_manager_23_fetch_app_manifest_invalid_user)
986 TemporaryTestUser user("sm_test_23_fetch_username", GUM_USERTYPE_NORMAL);
989 AppInstallHelper app("security_manager_23_fetch", user.getUid());
990 app.setInstallType(SM_APP_INSTALL_LOCAL);
991 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
992 ScopedInstaller appInstall(app);
996 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
997 // Should security-manager check if user exists?
998 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
999 RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
1002 RUNNER_CHILD_TEST(security_manager_24_fetch_app_manifest_auth_error)
1004 TemporaryTestUser user("sm_test_24_fetch_username", GUM_USERTYPE_NORMAL);
1007 AppInstallHelper app("security_manager_24_fetch", user.getUid());
1008 app.setInstallType(SM_APP_INSTALL_LOCAL);
1009 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
1010 ScopedInstaller appInstall(app);
1013 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1014 if (pid != 0) { //parent process
1016 } else { //child process
1017 Api::setProcessLabel(app.getAppId());
1018 RUNNER_ASSERT_ERRNO_MSG(
1019 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1020 "drop_root_privileges failed");
1023 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1024 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected access denied, returned " << ret);
1029 static void check_privileges_from_manifest(const AppInstallHelper &aih, char **privileges, size_t nPrivs)
1031 std::vector<std::string> aihPrivs = aih.getPrivilegesNames();
1032 RUNNER_ASSERT_MSG(nPrivs == aihPrivs.size(), "Expected privileges number: " << aihPrivs.size() << ", got " << nPrivs);
1033 for (size_t i = 0; i < nPrivs; ++i) {
1034 RUNNER_ASSERT_MSG(std::find(aihPrivs.begin(), aihPrivs.end(), std::string(privileges[i])) != aihPrivs.end(),
1035 "Privilege " << privileges[i] << " not found");
1039 RUNNER_CHILD_TEST(security_manager_25_fetch_app_manifest_global_app)
1041 TemporaryTestUser user("sm_test_25_fetch_username", GUM_USERTYPE_NORMAL);
1044 AppInstallHelper app("security_manager_25_fetch");
1045 app.setInstallType(SM_APP_INSTALL_GLOBAL);
1046 app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1047 app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1048 ScopedInstaller appInstall(app);
1053 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
1054 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1055 check_privileges_from_manifest(app, privileges, nPrivs);
1056 security_manager_privileges_free(privileges, nPrivs);
1058 // since app is installed globally, also for our temporary user the returned list should be the same
1060 ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1061 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1062 check_privileges_from_manifest(app, privileges, nPrivs);
1063 security_manager_privileges_free(privileges, nPrivs);
1066 RUNNER_CHILD_TEST(security_manager_26_fetch_app_manifest_local_app)
1068 TemporaryTestUser user("sm_test_26_fetch_username", GUM_USERTYPE_NORMAL);
1071 AppInstallHelper app("security_manager_26_fetch", user.getUid());
1072 app.setInstallType(SM_APP_INSTALL_LOCAL);
1073 app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1074 app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1075 ScopedInstaller appInstall(app);
1080 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1081 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1082 check_privileges_from_manifest(app, privileges, nPrivs);
1083 security_manager_privileges_free(privileges, nPrivs);
1085 // since app is installed locally, if we ask for other user (ie. root), we should get empty list of privileges
1087 ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
1088 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1089 RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
1092 RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_both_apps)
1094 TemporaryTestUser user("sm_test_27_fetch_username", GUM_USERTYPE_NORMAL);
1097 AppInstallHelper appGlobal("security_manager_27_fetch");
1098 appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL);
1099 appGlobal.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1100 appGlobal.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1101 appGlobal.addPrivilege(std::string("http://tizen.org/privielge/contacts.read"));
1102 ScopedInstaller appGlobalInstall(appGlobal);
1104 AppInstallHelper appLocal("security_manager_27_fetch", user.getUid());
1105 appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
1106 appLocal.addPrivilege(std::string("http://tizen.org/privilege/calendar.read"));
1107 appLocal.addPrivilege(std::string("http://tizen.org/privilege/calendar.write"));
1108 ScopedInstaller appLocalInstall(appLocal);
1114 int ret = security_manager_get_app_manifest_policy(appLocal.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1115 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1116 check_privileges_from_manifest(appLocal, privileges, nPrivs);
1117 security_manager_privileges_free(privileges, nPrivs);
1120 ret = security_manager_get_app_manifest_policy(appGlobal.getAppId().c_str(), 0, &privileges, &nPrivs);
1121 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected succes, returned " << ret);
1122 check_privileges_from_manifest(appGlobal, privileges, nPrivs);
1123 security_manager_privileges_free(privileges, nPrivs);