2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/types.h>
23 #include <unordered_set>
27 #include <cynara_test_admin.h>
28 #include <dpl/test/test_runner.h>
30 #include <passwd_access.h>
31 #include <scoped_label.h>
33 #include <sm_commons.h>
34 #include <sm_policy_request.h>
35 #include <sm_request.h>
36 #include <synchronization_pipe.h>
37 #include <temp_test_user.h>
38 #include <tests_common.h>
40 using namespace SecurityManagerTest;
42 static const std::vector<std::string> PM_MANY_APPS = {
43 "security_manager_pm_app_1",
44 "security_manager_pm_app_2",
45 "security_manager_pm_app_3",
46 "security_manager_pm_app_4",
47 "security_manager_pm_app_5"
50 const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
51 const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
52 const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
53 const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
55 static const std::map<std::string, struct app_attributes> PM_MANY_APPS_PKGS = {
56 {"security_manager_pm_app_1", {"security_manager_pm_pkg_1", "2.1"}},
57 {"security_manager_pm_app_2", {"security_manager_pm_pkg_2", "3.0"}},
58 {"security_manager_pm_app_3", {"security_manager_pm_pkg_3", "2.1.1"}},
59 {"security_manager_pm_app_4", {"security_manager_pm_pkg_4", "3.1"}},
60 {"security_manager_pm_app_5", {"security_manager_pm_pkg_5", "2.2"}},
61 {PRIVILEGE_MANAGER_APP, {PRIVILEGE_MANAGER_PKG, "3.0"}}
64 static const std::vector<privileges_t> PM_MANY_APPS_PRIVILEGES = {
66 "http://tizen.org/privilege/internet",
67 "http://tizen.org/privilege/display"
70 "http://tizen.org/privilege/telephony",
71 "http://tizen.org/privilege/datasharing"
74 "http://tizen.org/privilege/content.write",
75 "http://tizen.org/privilege/led",
76 "http://tizen.org/privilege/email"
79 "http://tizen.org/privilege/led",
80 "http://tizen.org/privilege/email",
81 "http://tizen.org/privilege/telephony",
82 "http://tizen.org/privilege/datasharing"
85 "http://tizen.org/privilege/internet",
86 "http://tizen.org/privilege/display",
87 "http://tizen.org/privilege/led",
88 "http://tizen.org/privilege/email"
92 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
94 static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
96 InstallRequest request;
97 request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
98 request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
100 request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
102 request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
103 Api::install(request);
104 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
107 RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
110 const std::string username("sm_test_10_user_name");
111 unsigned int privileges_count = 0;
113 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
114 std::map<std::string, std::set<std::string>> apps2PrivsMap;
116 for (unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
117 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
118 PM_MANY_APPS.at(i), std::set<std::string>(
119 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
120 PM_MANY_APPS_PRIVILEGES.at(i).end())));
121 privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size();
124 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
125 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
127 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
130 SynchronizationPipe pipe;
133 if (pid != 0) { //parent process
134 pipe.claimParentEp();
135 TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
138 for(const auto &user : users2AppsMap) {
139 for(const auto &app : user.second) {
140 InstallRequest requestInst;
141 requestInst.setAppId(app.first.c_str());
143 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
144 } catch (const std::out_of_range &e) {
145 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
147 requestInst.setUid(tmpUser.getUid());
149 for (const auto &privilege : app.second) {
150 requestInst.addPrivilege(privilege.c_str());
153 Api::install(requestInst);
156 //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
159 //Start child process
164 } else { //child process
168 uid_t uid; gid_t gid;
169 PasswdAccess::allUser(username, uid, gid);
170 std::string uidStr = std::to_string(uid);
171 register_current_process_as_privilege_manager(uid);
172 int result = drop_root_privileges(uid, gid);
173 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
175 std::vector<PolicyEntry> policyEntries;
177 Api::getPolicy(filter, policyEntries);
179 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
180 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
182 for (const auto &policyEntry : policyEntries) {
183 std::string user = policyEntry.getUser();
184 std::string app = policyEntry.getAppId();
185 std::string privilege = policyEntry.getPrivilege();
187 RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user);
190 std::set<std::string>::iterator tmp = users2AppsMap.at(username).at(app).find(privilege);
191 if (tmp == users2AppsMap.at(username).at(app).end())
192 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
193 } catch (const std::out_of_range &e) {
194 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
201 RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
204 const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
205 unsigned int privileges_count = 0;
207 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
208 std::map<std::string, std::set<std::string>> apps2PrivsMap;
210 for (const auto &username : usernames) {
211 //Only entries for one of the users will be listed
212 privileges_count = 0;
214 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
215 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
216 PM_MANY_APPS.at(i), std::set<std::string>(
217 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
218 PM_MANY_APPS_PRIVILEGES.at(i).end())));
219 privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
222 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
225 users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
226 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
231 SynchronizationPipe pipe;
234 if (pid != 0) { //parent process
235 pipe.claimParentEp();
236 std::vector<TemporaryTestUser> users = {
237 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
238 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
241 users.at(0).create();
242 users.at(1).create();
244 //Install apps for both users
245 for(const auto &user : users) {
246 for(const auto &app : users2AppsMap.at(user.getUserName())) {
247 InstallRequest requestInst;
248 requestInst.setAppId(app.first.c_str());
250 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
251 } catch (const std::out_of_range &e) {
252 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
254 requestInst.setUid(user.getUid());
256 for (const auto &privilege : app.second) {
257 requestInst.addPrivilege(privilege.c_str());
260 Api::install(requestInst);
263 //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
270 for (auto &user : users)
273 } else { //child process
277 uid_t uid; gid_t gid;
278 PasswdAccess::allUser(usernames.at(0), uid, gid);
279 std::string uidStr = std::to_string(uid);
280 register_current_process_as_privilege_manager(uid);
282 //change uid to normal user
284 int result = drop_root_privileges(uid, gid);
285 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
287 std::vector<PolicyEntry> policyEntries;
290 //this call should only return privileges belonging to the current uid
291 Api::getPolicy(filter, policyEntries);
293 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
294 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
296 for (const auto &policyEntry : policyEntries) {
297 std::string user = policyEntry.getUser();
298 std::string app = policyEntry.getAppId();
299 std::string privilege = policyEntry.getPrivilege();
301 RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user);
304 std::set<std::string>::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege);
305 if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end())
306 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
307 } catch (const std::out_of_range &e) {
308 RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what());
315 RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
317 std::vector<PolicyEntry> oldPolicyVec;
318 Api::getPolicy(PolicyEntry(), oldPolicyVec);
319 std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
322 const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
323 unsigned int privileges_count = oldPolicyVec.size();
325 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
326 std::map<std::string, std::set<std::string>> apps2PrivsMap;
328 for (const auto &username : usernames) {
329 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
330 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
331 PM_MANY_APPS.at(i), std::set<std::string>(
332 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
333 PM_MANY_APPS_PRIVILEGES.at(i).end())));
334 privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
337 users2AppsMap.insert(std::make_pair(username, apps2PrivsMap));
340 users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP,
341 std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
343 privileges_count += 2;
346 SynchronizationPipe pipe;
349 if (pid != 0) { //parent process
350 pipe.claimParentEp();
351 std::vector<TemporaryTestUser> users = {
352 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
353 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
356 users.at(0).create();
357 users.at(1).create();
358 //Install apps for both users
359 for(const auto &user : users) {
360 for(const auto &app : users2AppsMap.at(user.getUserName())) {
361 InstallRequest requestInst;
362 requestInst.setAppId(app.first.c_str());
364 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
365 } catch (const std::out_of_range &e) {
366 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
368 requestInst.setUid(user.getUid());
370 for (const auto &privilege : app.second) {
371 requestInst.addPrivilege(privilege.c_str());
374 Api::install(requestInst);
377 //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
380 //Start child process
384 for (auto &user : users)
387 } else { //child process
393 PasswdAccess::allUser(usernames.at(1), adminUid, adminGid);
394 std::string adminUidStr = std::to_string(adminUid);
395 uid_t normalUid = PasswdAccess::uid(usernames.at(0));
396 std::string normalUidStr = std::to_string(normalUid);
397 register_current_process_as_privilege_manager(adminUid, true);
399 //change uid to normal user
400 int result = drop_root_privileges(adminUid, adminGid);
401 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
404 std::vector<PolicyEntry> policyEntries;
405 //this call should succeed as the calling user is privileged
406 Api::getPolicy(PolicyEntry(), policyEntries);
408 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
409 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
411 for (const auto &policyEntry : policyEntries) {
412 if (oldPolicySet.count(policyEntry))
415 std::string user = policyEntry.getUser();
416 std::string app = policyEntry.getAppId();
417 std::string privilege = policyEntry.getPrivilege();
419 RUNNER_ASSERT_MSG(user == normalUidStr || user == adminUidStr, "Unexpected user: " << user);
421 std::string uidStrToLook = user == normalUidStr ? usernames.at(0) : usernames.at(1);
424 std::set<std::string>::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege);
425 if (tmp == users2AppsMap.at(uidStrToLook).at(app).end())
426 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
427 } catch (const std::out_of_range &e) {
428 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
429 } catch (const std::invalid_argument& e) {
430 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
438 RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
441 const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
443 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
444 std::map<std::string, std::set<std::string>> apps2PrivsMap;
446 for (const auto &username : usernames) {
448 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
449 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
450 PM_MANY_APPS.at(i), std::set<std::string>(
451 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
452 PM_MANY_APPS_PRIVILEGES.at(i).end())));
455 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
458 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
459 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
464 SynchronizationPipe sync[2];
465 std::vector<PolicyEntry> policyEntries;
469 if (pid[0] == 0) { //child #1 process
470 sync[0].claimChildEp();
473 uid_t uid; gid_t gid;
474 PasswdAccess::allUser(usernames.at(0), uid, gid);
475 register_current_process_as_privilege_manager(uid);
477 //change uid to normal user
478 int result = drop_root_privileges(uid, gid);
479 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
482 PolicyRequest policyRequest;
484 PolicyEntry policyEntry(
487 "http://tizen.org/privilege/internet"
489 policyEntry.setLevel("Deny");
491 policyRequest.addEntry(policyEntry);
492 policyEntry = PolicyEntry(
495 "http://tizen.org/privilege/display"
497 policyEntry.setLevel("Deny");
499 policyRequest.addEntry(policyEntry);
500 Api::sendPolicy(policyRequest);
503 } else { //parent process
504 sync[0].claimParentEp();
507 if (pid[1] == 0) { //child #2 process
508 sync[1].claimChildEp();
511 uid_t target_uid = PasswdAccess::uid(usernames.at(0));
514 PasswdAccess::allUser(usernames.at(1), my_uid, my_gid);
516 register_current_process_as_privilege_manager(my_uid);
518 //change uid to normal user
519 int result = drop_root_privileges(my_uid, my_gid);
520 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
522 PolicyEntry filter = PolicyEntry(
523 SECURITY_MANAGER_ANY,
524 std::to_string(target_uid),
528 //U2 requests contents of U1 privacy manager - should fail
529 Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
530 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
532 filter = PolicyEntry(
533 SECURITY_MANAGER_ANY,
534 SECURITY_MANAGER_ANY,
538 policyEntries.clear();
540 //U2 requests contents of ADMIN bucket - should fail
541 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
542 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
545 sync[1].claimParentEp();
546 std::vector<TemporaryTestUser> users = {
547 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
548 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false)
551 users.at(0).create();
552 users.at(1).create();
554 //Install apps for both users
555 for(const auto &user : users2AppsMap) {
557 for(const auto &app : user.second) {
558 InstallRequest requestInst;
559 requestInst.setAppId(app.first.c_str());
561 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
562 } catch (const std::out_of_range &e) {
563 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
565 requestInst.setUid(users.at(0).getUid());
567 for (const auto &privilege : app.second) {
568 requestInst.addPrivilege(privilege.c_str());
571 Api::install(requestInst);
574 //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
585 for (auto &user : users)
591 RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
594 const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
595 unsigned int privileges_count = 0;
597 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
598 std::map<std::string, std::set<std::string>> apps2PrivsMap;
600 for (const auto &username : usernames) {
602 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
603 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
604 PM_MANY_APPS.at(i), std::set<std::string>(
605 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
606 PM_MANY_APPS_PRIVILEGES.at(i).end())));
607 privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
610 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
613 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
614 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
616 privileges_count += 2;
618 SynchronizationPipe pipe;
622 pipe.claimParentEp();
623 std::vector<TemporaryTestUser> users = {
624 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
625 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
628 users.at(0).create();
629 users.at(1).create();
631 //Install apps for both users
632 for(const auto &user : users) {
634 for(const auto &app : users2AppsMap.at(user.getUserName())) {
635 InstallRequest requestInst;
636 requestInst.setAppId(app.first.c_str());
638 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
639 } catch (const std::out_of_range &e) {
640 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
642 requestInst.setUid(user.getUid());
644 for (const auto &privilege : app.second) {
645 requestInst.addPrivilege(privilege.c_str());
648 Api::install(requestInst);
652 //Start child process
656 //switch back to root
657 for (auto &user : users)
660 } else { //child process
664 uid_t uid; gid_t gid;
665 PasswdAccess::allUser(usernames.at(1), uid, gid);
666 register_current_process_as_privilege_manager(uid, true);
668 //change uid to normal user
669 int result = drop_root_privileges(uid, gid);
670 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
672 PolicyRequest *policyRequest = new PolicyRequest();
674 std::vector<PolicyEntry> policyEntries;
675 //this call should succeed as the calling user is privileged
676 Api::getPolicyForSelf(filter, policyEntries);
678 unsigned int policyNum = policyEntries.size();
680 PolicyEntry policyEntry(
681 SECURITY_MANAGER_ANY,
682 SECURITY_MANAGER_ANY,
683 "http://tizen.org/privilege/internet"
685 policyEntry.setMaxLevel("Deny");
687 policyRequest->addEntry(policyEntry);
688 policyEntry = PolicyEntry(
689 SECURITY_MANAGER_ANY,
690 SECURITY_MANAGER_ANY,
691 "http://tizen.org/privilege/display"
693 policyEntry.setMaxLevel("Deny");
695 policyRequest->addEntry(policyEntry);
696 Api::sendPolicy(*policyRequest);
697 Api::getPolicyForAdmin(filter, policyEntries);
699 RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: "
700 << policyNum + 2 << " and is " << policyEntries.size());
702 delete policyRequest;
703 policyRequest = new PolicyRequest();
704 policyEntry = PolicyEntry(
705 SECURITY_MANAGER_ANY,
706 SECURITY_MANAGER_ANY,
707 "http://tizen.org/privilege/internet"
709 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
710 policyRequest->addEntry(policyEntry);
712 policyEntry = PolicyEntry(
713 SECURITY_MANAGER_ANY,
714 SECURITY_MANAGER_ANY,
715 "http://tizen.org/privilege/display"
717 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
719 policyRequest->addEntry(policyEntry);
720 Api::sendPolicy(*policyRequest);
722 policyEntries.clear();
723 Api::getPolicyForAdmin(filter, policyEntries);
724 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
726 delete policyRequest;
733 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
735 const char *const update_app_id = "security_manager_15_update_app_id";
736 const char *const update_privilege = "http://tizen.org/privilege/led";
737 const char *const check_start_bucket = "ADMIN";
738 const std::string username("sm_test_15_username");
739 PolicyRequest addPolicyRequest;
740 CynaraTestAdmin::Admin admin;
741 ScopedProcessLabel keepLabel;
752 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
754 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
758 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
759 if (pid != 0)//parent process
761 FdUniquePtr pipeptr(pipefd+1);
764 register_current_process_as_privilege_manager(user.getUid(), true);
767 msg.uid = user.getUid();
768 msg.gid = user.getGid();
770 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
771 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
775 admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id, "").c_str(),
776 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
780 FdUniquePtr pipeptr(pipefd);
783 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
784 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
786 //become admin privacy manager manager
787 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
788 result = drop_root_privileges(msg.uid, msg.gid);
789 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
791 // FIXME - Application has to be installed for it to have policy set in SM
792 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
793 entry.setMaxLevel("Allow");
795 addPolicyRequest.addEntry(entry);
796 Api::sendPolicy(addPolicyRequest);
801 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
803 const char *const update_other_app_id = "security_manager_15_update_other_app_id";
804 const char *const update_privilege = "http://tizen.org/privilege/led";
805 const char *const check_start_bucket = "ADMIN";
806 const std::string username("sm_test_15_username");
807 PolicyRequest addPolicyRequest;
808 CynaraTestAdmin::Admin admin;
809 ScopedProcessLabel keepLabel;
820 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
822 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
826 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
827 if (pid != 0)//parent process
829 FdUniquePtr pipeptr(pipefd+1);
832 register_current_process_as_privilege_manager(user.getUid(), true);
835 msg.uid = user.getUid();
836 msg.gid = user.getGid();
838 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
839 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
843 admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_other_app_id, "").c_str(),
844 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
848 FdUniquePtr pipeptr(pipefd);
851 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
852 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
854 //become admin privacy manager manager
855 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
856 result = drop_root_privileges(msg.uid, msg.gid);
857 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
859 // use wildcard as appId
860 PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
861 entry.setMaxLevel("Allow");
863 addPolicyRequest.addEntry(entry);
864 Api::sendPolicy(addPolicyRequest);
869 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
871 const char *const update_app_id = "security_manager_15_update_app_id";
872 const char *const update_privilege = "http://tizen.org/privilege/led";
873 const char *const check_start_bucket = "";
874 const std::string username("sm_test_15_username");
875 PolicyRequest addPolicyRequest;
876 CynaraTestAdmin::Admin admin;
877 ScopedProcessLabel keepLabel;
888 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
890 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
894 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
895 if (pid != 0)//parent process
897 FdUniquePtr pipeptr(pipefd+1);
900 register_current_process_as_privilege_manager(user.getUid(), false);
903 msg.uid = user.getUid();
904 msg.gid = user.getGid();
906 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
907 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
911 admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id, "").c_str(),
912 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
916 FdUniquePtr pipeptr(pipefd);
919 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
920 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
922 //become admin privacy manager manager
923 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
924 result = drop_root_privileges(msg.uid, msg.gid);
925 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
927 // FIXME - Application has to be installed for it to have policy set in SM
928 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
929 entry.setLevel("Allow");
931 addPolicyRequest.addEntry(entry);
932 Api::sendPolicy(addPolicyRequest);
937 RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
939 const std::string username("sm_test_16_user_cynara_policy");
940 CynaraTestAdmin::Admin admin;
950 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
952 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
956 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
957 if (pid != 0)//parent process
959 FdUniquePtr pipeptr(pipefd+1);
963 msg.uid = user.getUid();
964 msg.gid = user.getGid();
966 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
967 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
975 std::string allow_policy, deny_policy;
977 FdUniquePtr pipeptr(pipefd);
980 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
981 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
983 //become admin privacy manager manager
984 result = drop_root_privileges(msg.uid, msg.gid);
985 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
987 // 3 should be there when ask-user is installed
988 ret = security_manager_policy_levels_get(&levels, &count);
990 RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
991 "Invlid return code: " << ret);
993 RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast<int>(count));
995 deny_policy = std::string(levels[0]);
996 allow_policy = std::string(levels[count-1]);
998 // first should always be Deny
999 RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
1000 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
1002 // last should always be Allow
1003 RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
1004 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
1006 security_manager_policy_levels_free(levels, count);
1011 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
1013 const char *const update_app_id = "security_manager_17_update_app_id";
1014 const char *const update_privilege = "http://tizen.org/privilege/led";
1015 const char *const check_start_bucket = "";
1016 const std::string username("sm_test_17_username");
1017 PolicyRequest addPolicyRequest;
1018 CynaraTestAdmin::Admin admin;
1029 ScopedProcessLabel keepLabel;
1031 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1032 RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
1034 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1038 RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed");
1039 if (pid[0] != 0)//parent process
1041 FdUniquePtr pipeptr(pipefd+1);
1044 register_current_process_as_privilege_manager(user.getUid(), false);
1046 //send info to child
1047 msg.uid = user.getUid();
1048 msg.gid = user.getGid();
1050 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1051 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1055 admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id, "").c_str(),
1056 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1059 if (pid[1] != 0)//parent process
1061 FdUniquePtr pipeptr(pipefd2+1);
1064 //send info to child
1065 msg.uid = user.getUid();
1066 msg.gid = user.getGid();
1068 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
1069 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1073 admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_app_id, "").c_str(),
1074 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
1078 FdUniquePtr pipeptr(pipefd2);
1081 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
1082 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1084 result = drop_root_privileges(msg.uid, msg.gid);
1085 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1087 // delete this entry
1088 PolicyRequest deletePolicyRequest;
1089 // FIXME - Application has to be installed for it to have policy set in SM
1090 PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1091 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
1093 deletePolicyRequest.addEntry(deleteEntry);
1094 Api::sendPolicy(deletePolicyRequest);
1100 FdUniquePtr pipeptr(pipefd);
1103 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1104 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1106 //become admin privacy manager manager
1107 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1108 result = drop_root_privileges(msg.uid, msg.gid);
1109 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1111 // FIXME - Application has to be installed for it to have policy set in SM
1112 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1113 entry.setLevel("Allow");
1115 addPolicyRequest.addEntry(entry);
1116 Api::sendPolicy(addPolicyRequest);
1121 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
1123 const std::string username("sm_test_17_user_name");
1128 unsigned int privileges_count;
1134 ScopedProcessLabel keepLabel;
1136 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1139 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1140 if (pid != 0)//parent process
1142 FdUniquePtr pipeptr(pipefd+1);
1145 TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
1148 unsigned int privileges_count = 0;
1150 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
1151 InstallRequest requestInst;
1152 requestInst.setAppId(PM_MANY_APPS[i].c_str());
1153 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(PM_MANY_APPS[i]).package.c_str());
1154 requestInst.setUid(user.getUid());
1156 for (auto &priv : PM_MANY_APPS_PRIVILEGES.at(i)) {
1157 requestInst.addPrivilege(priv.c_str());
1160 Api::install(requestInst);
1161 privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size();
1164 register_current_process_as_privilege_manager(user.getUid(), false);
1165 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
1168 //send info to child
1169 msg.uid = user.getUid();
1170 msg.gid = user.getGid();
1171 msg.privileges_count = privileges_count;
1173 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1174 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1180 FdUniquePtr pipeptr(pipefd);
1183 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1184 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1186 //become admin privacy manager manager
1187 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1188 result = drop_root_privileges(msg.uid, msg.gid);
1189 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1191 // filter by privilege
1192 std::vector<PolicyEntry> policyEntries;
1193 PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
1194 Api::getPolicy(filter, policyEntries);
1196 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1197 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1199 // filter by other privilege
1200 policyEntries.clear();
1201 PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
1202 Api::getPolicy(filter2, policyEntries);
1204 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1205 RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
1208 policyEntries.clear();
1209 PolicyEntry filter3(PM_MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
1210 Api::getPolicy(filter3, policyEntries);
1212 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1213 RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());