projects / platform / core / test / security-tests.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge branch 'tizen' into ckm
[platform/core/test/security-tests.git] / src / security-manager-tests / test_cases_privacy_manager.cpp
1 /*
2  * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd All Rights Reserved
3  *
4  *    Licensed under the Apache License, Version 2.0 (the "License");
5  *    you may not use this file except in compliance with the License.
6  *    You may obtain a copy of the License at
7  *
8  *        http://www.apache.org/licenses/LICENSE-2.0
9  *
10  *    Unless required by applicable law or agreed to in writing, software
11  *    distributed under the License is distributed on an "AS IS" BASIS,
12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  *    See the License for the specific language governing permissions and
14  *    limitations under the License.
15  */
16
17 #include <algorithm>
18 #include <cstdlib>
19 #include <map>
20 #include <string>
21 #include <sys/types.h>
22 #include <unistd.h>
23 #include <unordered_set>
24 #include <utility>
25 #include <vector>
26
27 #include <app_install_helper.h>
28 #include <cynara_test_admin.h>
29 #include <dpl/test/test_runner.h>
30 #include <dpl/test/test_runner_child.h>
31 #include <pkg_privacy_privileges.h>
32 #include <policy_configuration.h>
33 #include <scoped_installer.h>
34 #include <sm_api.h>
35 #include <sm_commons.h>
36 #include <sm_policy_request.h>
37 #include <sm_request.h>
38 #include <synchronization_pipe.h>
39 #include <temp_test_user.h>
40 #include <tests_common.h>
41 #include <privilege_names.h>
42 #include <app_def_privilege.h>
43
44 using namespace SecurityManagerTest;
45 using namespace PrivilegeNames;
46 namespace {
47 struct UserInfo {
48     std::string userName;
49     GumUserType userType;
50 };
51
52 // Privileges required for having permission to self/admin get/set policies.
53 const std::string& SELF_PRIVILEGE = PRIV_NOTEXIST;
54 const std::string& ADMIN_PRIVILEGE = PRIV_INTERNAL_USERMANAGEMENT;
55
56 const std::vector<PrivilegeVector> TEST_PRIVILEGES = {
57     {PRIV_INTERNET, PRIV_DISPLAY},
58     {PRIV_TELEPHONY, PRIV_DATASHARING},
59     {PRIV_CONTENT_WRITE, PRIV_LED, PRIV_EMAIL},
60     {PRIV_LED, PRIV_EMAIL, PRIV_TELEPHONY, PRIV_DATASHARING},
61     {PRIV_INTERNET, PRIV_DISPLAY, PRIV_LED, PRIV_EMAIL}
62 };
63
64 const PrivilegeVector TEST_PRIVACY_PRIVILEGES[] = {
65     {
66         Privilege(PRIV_TELEPHONY),
67         Privilege(PRIV_LED),
68         Privilege(PRIV_CALLHISTORY_READ, Privilege::PRIVACY),
69         Privilege(PRIV_ACCOUNT_READ, Privilege::PRIVACY),
70         Privilege(PRIV_HEALTHINFO, Privilege::PRIVACY),
71     },
72     {
73         Privilege(PRIV_TELEPHONY),
74         Privilege(PRIV_LED),
75         Privilege(PRIV_CALLHISTORY_READ, Privilege::PRIVACY),
76     }
77 };
78
79 }
80
81 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
82
83 RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
84 {
85     TemporaryTestUser tmpUser("sm_test_10_user_name", GUM_USERTYPE_NORMAL, false);
86     tmpUser.create();
87
88     unsigned expectedPolicyCount = 0;
89     std::map<std::string, AppInstallHelper> appIdToAIH;
90     for (unsigned i = 0; i < TEST_PRIVILEGES.size(); i++) {
91         AppInstallHelper app("sm_test_10_" + std::to_string(i), tmpUser.getUid());
92         app.addPrivileges(TEST_PRIVILEGES[i]);
93         expectedPolicyCount += app.getPrivileges().size();
94         appIdToAIH.emplace(app.getAppId(), std::move(app));
95     }
96
97     AppInstallHelper privManager("sm_test_10_privilege_manager", tmpUser.getUid());
98     std::string privManagerAppId = privManager.getAppId();
99     privManager.addPrivilege(SELF_PRIVILEGE);
100     expectedPolicyCount += privManager.getPrivileges().size();
101     appIdToAIH.emplace(privManager.getAppId(), std::move(privManager));
102
103     std::vector<ScopedInstaller> scopedInstallations;
104     for (const auto &appIdAIH : appIdToAIH) {
105         scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second));
106     }
107
108     pid_t pid = fork();
109     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
110     if (pid != 0) { //parent process
111         waitPid(pid);
112     } else { //child process
113         Api::setProcessLabel(privManagerAppId);
114         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
115                                 "drop_root_privileges failed");
116
117         std::vector<PolicyEntry> policyEntries;
118         Api::getPolicy(PolicyEntry(), policyEntries);
119
120         RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
121         RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
122                           "Number of policies doesn't match - should be: " << expectedPolicyCount
123                           << " and is " << policyEntries.size());
124
125         for (const auto &policyEntry : policyEntries) {
126             std::string user = policyEntry.getUser();
127             std::string app = policyEntry.getAppId();
128             std::string privilege = policyEntry.getPrivilege();
129
130             RUNNER_ASSERT_MSG(user == tmpUser.getUidString(), "Unexpected user: " << user);
131
132             auto appIt = appIdToAIH.find(app);
133             RUNNER_ASSERT_MSG(appIt != appIdToAIH.end(), "Policy returned unexpected app: " << app);
134
135             AppInstallHelper &aih = appIt->second;
136             auto& appPrivileges = aih.getPrivileges();
137             auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
138             RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
139                               "Unexpected privilege " << privilege << " for app " << app);
140         }
141         exit(0);
142     }
143 }
144
145 RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
146 {
147     const std::string normalNameToSwitch = "sm_test_11_user_name_normal";
148     const std::vector<UserInfo> userInfos = {{normalNameToSwitch, GUM_USERTYPE_NORMAL},
149                                              {"sm_test_11_user_name_admin", GUM_USERTYPE_ADMIN}};
150
151     std::map<std::string, TemporaryTestUser> usernameToTTU;
152     // uid + app_id -> AppInstallHelper (different users can have same app_id installed)
153     std::map<std::pair<uid_t,std::string>, AppInstallHelper> userAppIdToAIH;
154     unsigned expectedPolicyCount = 0;
155
156     for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
157         TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
158         user.create();
159
160         for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
161             AppInstallHelper app("sm_test_11_" + std::to_string(p_i), user.getUid());
162             app.addPrivileges(TEST_PRIVILEGES[p_i]);
163             if (user.getUserName() == normalNameToSwitch) // Only entries for this user should be fetched
164                 expectedPolicyCount += app.getPrivileges().size();
165             userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
166         };
167
168         usernameToTTU.emplace(userInfos[u_i].userName, std::move(user));
169     };
170
171     TemporaryTestUser &normalUserToSwitch = usernameToTTU.at(normalNameToSwitch);
172
173     AppInstallHelper privManager("sm_test_11_priv_manager", normalUserToSwitch.getUid());
174     std::string privManagerAppId = privManager.getAppId();
175     privManager.addPrivilege(SELF_PRIVILEGE);
176     expectedPolicyCount += privManager.getPrivileges().size();
177     userAppIdToAIH.emplace(std::make_pair(normalUserToSwitch.getUid(), privManager.getAppId()),
178                            std::move(privManager));
179
180     std::vector<ScopedInstaller> scopedInstallations;
181     for (const auto &userAppIdAIH : userAppIdToAIH) {
182         scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
183     }
184
185     pid_t pid = fork();
186     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
187     if (pid != 0) { //parent process
188         waitPid(pid);
189     } else { //child process
190         Api::setProcessLabel(privManagerAppId);
191         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(),
192                                                      normalUserToSwitch.getGid()) == 0,
193                                 "drop_root_privileges failed");
194
195         std::vector<PolicyEntry> policyEntries;
196         Api::getPolicy(PolicyEntry(), policyEntries);
197
198         RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
199         RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
200                           "Number of policies doesn't match - should be: " << expectedPolicyCount
201                           << " and is " << policyEntries.size());
202
203         for (const auto &policyEntry : policyEntries) {
204             // Expect policy only for current process user
205             std::string user = policyEntry.getUser();
206             std::string app = policyEntry.getAppId();
207             std::string privilege = policyEntry.getPrivilege();
208
209             RUNNER_ASSERT_MSG(normalUserToSwitch.getUidString() == user, "Unexpected user: " << user);
210             auto userAppIdToAIHIt = userAppIdToAIH.find(std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
211             RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
212                               "Unknown app " << app << " for user " << user);
213
214             AppInstallHelper &aih = userAppIdToAIHIt->second;
215             auto privs = aih.getPrivileges();
216
217             auto& appPrivileges = aih.getPrivileges();
218             auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
219             RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
220                               "Unexpected privilege " << privilege << " for app " << app);
221         }
222         exit(0);
223     }
224 }
225
226 RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
227 {
228     std::vector<PolicyEntry> oldPolicyVec;
229     Api::getPolicy(PolicyEntry(), oldPolicyVec);
230     std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
231
232     std::string adminNameToSwitch = "sm_test_12_user_name_admin";
233     const std::vector<UserInfo> userInfos = {{"sm_test_12_user_name_normal",GUM_USERTYPE_NORMAL},
234                                              {adminNameToSwitch, GUM_USERTYPE_ADMIN}};
235
236     std::map<std::string, TemporaryTestUser> usernameToTTU;
237     std::vector<std::string> uidStrings;
238     // uidstring + app_id -> AppInstallHelper
239     std::map<std::pair<uid_t, std::string>, AppInstallHelper> userAppIdToAIH;
240     unsigned expectedPolicyCount = oldPolicyVec.size();
241
242     for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
243         TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
244         user.create();
245         uidStrings.push_back(user.getUidString());
246
247         for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
248             AppInstallHelper app("sm_test_12_" + std::to_string(p_i), user.getUid());
249             // Shift privileges, so same app_id for different users doesn't have same privileges
250             app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
251             expectedPolicyCount += app.getPrivileges().size();
252             userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
253         };
254         usernameToTTU.emplace(user.getUserName(), std::move(user));
255     };
256
257     TemporaryTestUser &adminUserToSwitch = usernameToTTU.at(adminNameToSwitch);
258
259     AppInstallHelper privManager("sm_test_12_priv_manager", adminUserToSwitch.getUid());
260     std::string privManagerAppId = privManager.getAppId();
261     privManager.addPrivilege(SELF_PRIVILEGE);
262     privManager.addPrivilege(ADMIN_PRIVILEGE);
263     expectedPolicyCount += privManager.getPrivileges().size();
264
265     userAppIdToAIH.emplace(std::make_pair(adminUserToSwitch.getUid(), privManager.getAppId()),
266                            std::move(privManager));
267
268     std::vector<ScopedInstaller> scopedInstallations;
269     for (const auto &userAppIdAIH : userAppIdToAIH) {
270         scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
271     }
272
273     pid_t pid = fork();
274     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
275     if (pid != 0) { //parent process
276         waitPid(pid);
277     } else { //child process
278         Api::setProcessLabel(privManagerAppId);
279         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
280                                                      adminUserToSwitch.getGid()) == 0,
281                                 "drop_root_privileges failed");
282
283         std::vector<PolicyEntry> policyEntries;
284         Api::getPolicy(PolicyEntry(), policyEntries);
285         RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
286         RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
287                           "Number of policies doesn't match - should be: " << expectedPolicyCount
288                           << " and is " << policyEntries.size());
289
290         for (const auto &policyEntry : policyEntries) {
291             // Expect policy for all users to be returned
292             if (oldPolicySet.count(policyEntry))
293                 continue;
294             std::string user = policyEntry.getUser();
295             std::string app = policyEntry.getAppId();
296             std::string privilege = policyEntry.getPrivilege();
297
298             auto uidStringIt = std::find(uidStrings.begin(), uidStrings.end(), user);
299             RUNNER_ASSERT_MSG(uidStringIt != uidStrings.end(), "Unexpected user: " << user);
300
301             auto userAppIdToAIHIt = userAppIdToAIH.find(
302                     std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
303             RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
304                               "Unknown app " << app << " for user " << user);
305
306             AppInstallHelper &aih = userAppIdToAIHIt->second;
307             auto privs = aih.getPrivileges();
308
309             auto& appPrivileges = aih.getPrivileges();
310             auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
311             RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
312                               "Unexpected privilege " << privilege << " for app " << app);
313         };
314         exit(0);
315     };
316 }
317
318 RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
319 {
320     std::string normalName = "sm_test_13_user_name_normal";
321     std::string adminName = "sm_test_13_user_name_admin";
322     const std::vector<UserInfo> userInfos = {{normalName,GUM_USERTYPE_NORMAL},
323                                              {adminName, GUM_USERTYPE_ADMIN}};
324
325     std::map<std::string, TemporaryTestUser> usernameToTTU;
326     std::map<uid_t, std::vector<AppInstallHelper>> uidToAIHs;
327     unsigned expectedPolicyCount = 0;
328     std::string privManagerAppId;
329
330     for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
331         //Only entries for one of the users will be listed
332         TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
333         user.create();
334
335         for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
336             AppInstallHelper app("sm_test_13_" + std::to_string(p_i), user.getUid());
337             // Shift privileges, so same app_id for different user doesn't have same privileges
338             app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
339             expectedPolicyCount += app.getPrivileges().size();
340             uidToAIHs[user.getUid()].emplace_back(std::move(app));
341         };
342         AppInstallHelper privManager("sm_test_13_priv_manager", user.getUid());
343         privManagerAppId = privManager.getAppId();
344         privManager.addPrivilege(SELF_PRIVILEGE);
345         expectedPolicyCount += privManager.getPrivileges().size();
346         uidToAIHs[user.getUid()].emplace_back(std::move(privManager));
347
348         usernameToTTU.emplace(user.getUserName(), std::move(user));
349     };
350
351     std::vector<ScopedInstaller> scopedInstallations;
352     for (const auto &userAIHs : uidToAIHs) {
353         for (const auto &aih : userAIHs.second)
354         scopedInstallations.emplace_back(ScopedInstaller(aih));
355     }
356
357     TemporaryTestUser &adminUser = usernameToTTU.at(adminName);
358     TemporaryTestUser &normalUser = usernameToTTU.at(normalName);
359
360     pid_t pid = fork();
361     RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
362     if (pid == 0) { //child #1 process
363         Api::setProcessLabel(privManagerAppId);
364         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0,
365                                 "drop_root_privileges failed");
366         auto &app1 = uidToAIHs[normalUser.getUid()][0];
367         auto &app2 = uidToAIHs[normalUser.getUid()][0];
368         PolicyRequest policyRequest;
369         PolicyEntry policyEntry(
370                 app1.getAppId(),
371                 normalUser.getUidString(),
372                 app1.getPrivileges()[0]
373                 );
374         policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
375
376         policyRequest.addEntry(policyEntry);
377         policyEntry = PolicyEntry(
378                 app2.getAppId(),
379                 normalUser.getUidString(),
380                 app1.getPrivileges()[1]
381                 );
382         policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
383         policyRequest.addEntry(policyEntry);
384         Api::sendPolicy(policyRequest);
385
386         exit(0);
387     } else {
388         waitPid(pid);
389         pid = fork();
390         RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
391         if (pid == 0) { //child #2 process
392             Api::setProcessLabel(privManagerAppId);
393             // Admin user, but in context of app, which doesn't have usermanagement privilege
394             RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
395                               "drop_root_privileges failed");
396
397             PolicyEntry filter = PolicyEntry(
398                         SECURITY_MANAGER_ANY,
399                         normalUser.getUidString(),
400                         SECURITY_MANAGER_ANY
401                         );
402             std::vector<PolicyEntry> policyEntries;
403             //U2 requests contents of U1 privacy manager - should fail
404             Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
405             RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
406                               << policyEntries.size() << " entries");
407
408             filter = PolicyEntry(
409                         SECURITY_MANAGER_ANY,
410                         SECURITY_MANAGER_ANY,
411                         SECURITY_MANAGER_ANY
412                         );
413
414             policyEntries.clear();
415
416             //U2 requests contents of ADMIN bucket - should fail
417             Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
418             RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
419                               << policyEntries.size() << " entries");
420             exit(0);
421         } else {
422             waitPid(pid);
423         }
424     }
425 }
426
427 RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
428 {
429     TemporaryTestUser adminUserToSwitch("sm_test_14_user_name_admin", GUM_USERTYPE_ADMIN);
430     adminUserToSwitch.create();
431
432     AppInstallHelper privManager("sm_test_14_priv_manager", adminUserToSwitch.getUid());
433     privManager.addPrivilege(ADMIN_PRIVILEGE);
434
435     ScopedInstaller privManagerInstall(privManager);
436
437     pid_t pid = fork();
438     if (pid != 0) {
439         waitPid(pid);
440     } else { //child process
441         Api::setProcessLabel(privManager.getAppId());
442         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
443                                                      adminUserToSwitch.getGid()) == 0,
444                                 "drop_root_privileges failed");
445
446         PolicyRequest setPolicyRequest;
447         std::vector<PolicyEntry> policyEntries;
448
449         PolicyEntry internetPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, PRIV_INTERNET);
450         internetPolicyEntry.setMaxLevel(PolicyEntry::LEVEL_DENY);
451         setPolicyRequest.addEntry(internetPolicyEntry);
452
453         PolicyEntry displayPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, PRIV_DISPLAY);
454         displayPolicyEntry.setMaxLevel(PolicyEntry::LEVEL_DENY);
455         setPolicyRequest.addEntry(displayPolicyEntry);
456
457         Api::sendPolicy(setPolicyRequest);
458
459         Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
460         RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2"
461                                                      " and is " << policyEntries.size());
462
463         PolicyRequest delPolicyRequest;
464
465         internetPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
466         delPolicyRequest.addEntry(internetPolicyEntry);
467
468         displayPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
469         delPolicyRequest.addEntry(displayPolicyEntry);
470
471         Api::sendPolicy(delPolicyRequest);
472
473         policyEntries.clear();
474         Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
475         RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0"
476                                                      " and is " << policyEntries.size());
477         exit(0);
478     };
479 }
480
481 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
482 {
483     const std::string& updatePriv = PRIV_LED;
484
485     TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
486     adminUser.create();
487
488     AppInstallHelper updatedApp("security_manager_15_update");
489     ScopedInstaller updatedAppInstall(updatedApp);
490
491     AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
492     privManager.addPrivilege(ADMIN_PRIVILEGE);
493     ScopedInstaller privManagerInstall(privManager);
494
495     pid_t pid = fork();
496     RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
497     if (pid != 0) { //parent process
498         waitPid(pid);
499         CynaraTestAdmin::Admin admin;
500         admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(),
501                          adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
502                          nullptr);
503     } else {
504         Api::setProcessLabel(privManager.getAppId());
505
506         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
507                                 "drop_root_privileges failed");
508
509         PolicyEntry entry(updatedApp.getAppId(), adminUser.getUidString(), updatePriv);
510         entry.setMaxLevel(PolicyEntry::LEVEL_ALLOW);
511         PolicyRequest addPolicyRequest;
512         addPolicyRequest.addEntry(entry);
513         Api::sendPolicy(addPolicyRequest);
514         exit(0);
515     }
516 }
517
518 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
519 {
520     const std::string& updatePriv = PRIV_LED;
521
522     TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
523     adminUser.create();
524
525     AppInstallHelper app("security_manager_15");
526     ScopedInstaller appInstall(app);
527
528     AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
529     privManager.addPrivilege(ADMIN_PRIVILEGE);
530     ScopedInstaller privManagerInstall(privManager);
531
532     pid_t pid = fork();
533     RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
534     if (pid != 0) {
535         waitPid(pid);
536         CynaraTestAdmin::Admin admin;
537         admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(),
538                          adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
539                          nullptr);
540     } else {
541         Api::setProcessLabel(privManager.getAppId());
542         RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
543                           "drop_root_privileges failed");
544
545         PolicyEntry entry(SECURITY_MANAGER_ANY, adminUser.getUidString(), updatePriv);
546         entry.setMaxLevel(PolicyEntry::LEVEL_ALLOW);
547
548         PolicyRequest addPolicyRequest;
549         addPolicyRequest.addEntry(entry);
550         Api::sendPolicy(addPolicyRequest);
551         exit(0);
552     }
553 }
554
555 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
556 {
557     const std::string& updatePriv = PRIV_LED;
558
559     TemporaryTestUser user("sm_test_15_username", GUM_USERTYPE_NORMAL);
560     user.create();
561
562     AppInstallHelper app("security_manager_15");
563     ScopedInstaller appInstall(app);
564
565     AppInstallHelper privManager("security_manager_15_priv_manager", user.getUid());
566     privManager.addPrivilege(SELF_PRIVILEGE);
567     ScopedInstaller privManagerInstall(privManager);
568
569     pid_t pid = fork();
570     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
571     if (pid != 0) {
572         waitPid(pid);
573         CynaraTestAdmin::Admin admin;
574         admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
575                          updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
576     } else {
577         Api::setProcessLabel(privManager.getAppId());
578         RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
579                           "drop_root_privileges failed");
580
581         PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
582         entry.setLevel(PolicyEntry::LEVEL_ALLOW);
583
584         PolicyRequest addPolicyRequest;
585         addPolicyRequest.addEntry(entry);
586         Api::sendPolicy(addPolicyRequest);
587         exit(0);
588     }
589 }
590
591 RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
592 {
593     TemporaryTestUser user("sm_test_16_user_name", GUM_USERTYPE_NORMAL);
594     user.create();
595
596     pid_t pid = fork();
597     RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
598     if (pid != 0) {
599         waitPid(pid);
600     } else {
601         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
602                           "drop_root_privileges failed");
603
604         char** levels;
605         size_t count;
606         int ret = security_manager_policy_levels_get(&levels, &count);
607         RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
608                 "Invlid return code: " << ret);
609         std::unique_ptr<char *, std::function<void(char**)>> descriptionsPtr(levels,
610                 [count](char **levels) { security_manager_policy_levels_free(levels, count);});
611
612         RUNNER_ASSERT_MSG(count >= 2, "Invalid number of policy levels. Should be 3,"
613                                       " instead there is: " << count);
614
615         std::string denyPolicy = std::string(levels[0]);
616         std::string allowPolicy = std::string(levels[count-1]);
617
618         // first should always be Deny
619         RUNNER_ASSERT_MSG(denyPolicy.compare(PolicyEntry::LEVEL_DENY) == 0,
620                 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
621
622         // last should always be Allow
623         RUNNER_ASSERT_MSG(allowPolicy.compare(PolicyEntry::LEVEL_ALLOW) == 0,
624                 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
625         exit(0);
626     }
627 }
628
629 RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self)
630 {
631     const std::string& updatePriv = PRIV_LED;
632
633     TemporaryTestUser user("sm_test_17a_username", GUM_USERTYPE_NORMAL);
634     user.create();
635
636     AppInstallHelper app("security_manager_17a");
637     ScopedInstaller appInstall(app);
638
639     SynchronizationPipe synchPipe;
640     pid_t pid = fork();
641     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
642     if (pid != 0) {
643         synchPipe.claimParentEp();
644
645         synchPipe.wait();
646         CynaraTestAdmin::Admin admin;
647         admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
648                          updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
649         synchPipe.post();
650
651         synchPipe.wait();
652         admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
653                          updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
654         waitPid(pid);
655     } else {
656         synchPipe.claimChildEp();
657         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
658                                             "drop_root_privileges failed");
659
660         PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
661         entry.setLevel(PolicyEntry::LEVEL_ALLOW);
662         PolicyRequest addPolicyRequest;
663         addPolicyRequest.addEntry(entry);
664         Api::sendPolicy(addPolicyRequest);
665         synchPipe.post();
666
667         synchPipe.wait();
668         PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
669         deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
670         PolicyRequest deletePolicyRequest;
671         deletePolicyRequest.addEntry(deleteEntry);
672         Api::sendPolicy(deletePolicyRequest);
673         synchPipe.post();
674
675         exit(0);
676     }
677 }
678
679 RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self)
680 {
681     const std::string& updatePriv = PRIV_LED;
682
683     TemporaryTestUser user("sm_test_17b_username", GUM_USERTYPE_NORMAL);
684     user.create();
685
686     AppInstallHelper app("security_manager_17b");
687     ScopedInstaller appInstall(app);
688
689     AppInstallHelper privManager("security_manager_17b_priv_manager", user.getUid());
690     privManager.addPrivilege(SELF_PRIVILEGE);
691     ScopedInstaller privManagerInstall(privManager);
692
693     SynchronizationPipe synchPipe;
694     pid_t pid = fork();
695     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
696     if (pid != 0) {
697         synchPipe.claimParentEp();
698         synchPipe.wait();
699         CynaraTestAdmin::Admin admin;
700         admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
701                          updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
702         synchPipe.post();
703
704         synchPipe.wait();
705         admin.adminCheck("", false, app.generateAppLabel().c_str(),
706                          user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
707         waitPid(pid);
708
709     } else {
710         synchPipe.claimChildEp();
711         Api::setProcessLabel(privManager.getAppId());
712         RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
713                                 "drop_root_privileges failed");
714
715         PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
716         entry.setLevel(PolicyEntry::LEVEL_ALLOW);
717         PolicyRequest addPolicyRequest;
718         addPolicyRequest.addEntry(entry);
719         Api::sendPolicy(addPolicyRequest);
720         synchPipe.post();
721
722         synchPipe.wait();
723         PolicyRequest deletePolicyRequest;
724         PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
725         deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
726         deletePolicyRequest.addEntry(deleteEntry);
727         Api::sendPolicy(deletePolicyRequest);
728         synchPipe.post();
729         exit(0);
730     }
731 }
732
733 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
734 {
735     const std::string username("sm_test_17_user_name");
736     std::vector<AppInstallHelper> appHelpers;
737     std::vector<ScopedInstaller> scopedInstallations;
738     std::map<std::string, unsigned> privToCount;
739     unsigned policyCount = 0;
740
741     TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
742     user.create();
743
744     for (unsigned int i = 0; i < TEST_PRIVILEGES.size(); i++) {
745         AppInstallHelper app("sm_test_17_" + std::to_string(i), user.getUid());
746         app.addPrivileges(TEST_PRIVILEGES[i]);
747         policyCount += app.getPrivileges().size();
748
749         appHelpers.emplace_back(std::move(app));
750         for (auto &priv: TEST_PRIVILEGES[i]) {
751             privToCount[priv]++;
752         }
753     }
754
755     AppInstallHelper privManager("sm_test_17_priv_manager", user.getUid());
756     std::string privManagerAppId = privManager.getAppId();
757     privManager.addPrivilege(SELF_PRIVILEGE);
758     privToCount[SELF_PRIVILEGE]++;
759     policyCount += privManager.getPrivileges().size();
760
761     appHelpers.emplace_back(std::move(privManager));
762     for (const auto &app : appHelpers)
763         scopedInstallations.emplace_back(std::move(ScopedInstaller(app)));
764
765     pid_t pid = fork();
766     RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
767     if (pid != 0)//parent process
768     {
769         waitPid(pid);
770     } else {
771         Api::setProcessLabel(privManagerAppId);
772         RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
773                           "drop_root_privileges failed");
774
775         for (const auto &privCount : privToCount) {
776             std::vector<PolicyEntry> policyEntries;
777             PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, privCount.first);
778             Api::getPolicy(filter, policyEntries);
779             RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
780             RUNNER_ASSERT_MSG(policyEntries.size() == privCount.second,
781                               "Number of policies doesn't match - should be: " << privCount.second
782                                << " and is " << policyEntries.size());
783         }
784
785         for (const auto &app : appHelpers) {
786             std::vector<PolicyEntry> policyEntries;
787             PolicyEntry filter(app.getAppId(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
788             Api::getPolicy(filter, policyEntries);
789             RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
790             RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
791                               "Number of policies doesn't match - should be: " << app.getPrivileges().size()
792                               << " and is " << policyEntries.size());
793         }
794
795         std::vector<PolicyEntry> policyEntries;
796         PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
797         Api::getPolicy(filter, policyEntries);
798         RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
799         RUNNER_ASSERT_MSG(policyEntries.size() == policyCount,
800                           "Number of policies doesn't match - should be: " << policyCount
801                           << " and is " << policyEntries.size());
802
803         exit(0);
804     }
805 }
806
807 RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove)
808 {
809     TemporaryTestUser user("sm_test_18_username", GUM_USERTYPE_NORMAL);
810     user.create();
811
812     AppInstallHelper app("sm_test_18", user.getUid());
813     app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
814
815     PolicyEntry filter (app.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
816     std::vector<PolicyEntry> policyEntries;
817     {
818         PkgPrivacyPrivileges setupPrivacyPrivs(app);
819         ScopedInstaller installer(app);
820         unsigned int privacyNum = countPrivacyPrivileges(app.getPrivileges());
821
822         Api::getPolicy(filter, policyEntries);
823
824         RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
825             "Number of policy entries doesn't match; should be " << app.getPrivileges().size()
826             << " but is " << policyEntries.size());
827
828         if (PolicyConfiguration::getIsAskuserEnabled() ) {
829             unsigned int privacyActNum = 0;
830             for (auto &entry : policyEntries)
831                 if (isPrivilegePrivacy(entry.getPrivilege())) {
832                     RUNNER_ASSERT_MSG(entry.getCurrentLevel() == PolicyEntry::LEVEL_ASK_USER,
833                                       "Invalid policy setup; policy should be \"Ask user\" but is "
834                                       << entry.getCurrentLevel());
835                     ++privacyActNum;
836                 }
837             RUNNER_ASSERT_MSG(privacyActNum == privacyNum,
838                               "Should be " << privacyNum << " privacy privileges,"
839                               "but is " << privacyActNum);
840         }
841     }
842
843     policyEntries.clear();
844     Api::getPolicy(filter, policyEntries);
845     RUNNER_ASSERT_MSG(policyEntries.size() == 0,
846                       "After deinstallation, policy entries size should be 0,"
847                       "but is: "  << policyEntries.size());
848 }
849
850 void test_privacy_related_privileges(bool isHybrid) {
851     TemporaryTestUser user("sm_test_19_username", GUM_USERTYPE_NORMAL);
852     user.create();
853
854     const std::string pkgId = "sm_test_19_pkg_id";
855
856     AppInstallHelper app1("sm_test_19_app_id_1", pkgId, user.getUid());
857     if (isHybrid)
858         app1.setHybrid();
859     app1.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
860     PkgPrivacyPrivileges setupPrivacyPrivs1(app1);
861     ScopedInstaller installer1(app1);
862
863     AppInstallHelper app2("sm_test_19_app_id_2", pkgId, user.getUid());
864     if (isHybrid)
865         app2.setHybrid();
866     app2.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
867     PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
868     ScopedInstaller installer2(app2);
869
870     int privacyCount1, privacyCount2;
871     if (!PolicyConfiguration::getIsAskuserEnabled()) {
872         privacyCount1 = 0;
873         privacyCount2 = 0;
874     } else if (isHybrid) {
875         privacyCount1 = countPrivacyPrivileges(app1.getPrivileges());
876         privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
877     } else {
878         privacyCount1 = privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
879     }
880
881     std::vector<PolicyEntry> policyEntries;
882     PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
883     Api::getPolicy(filter, policyEntries);
884
885     int privacyAct1 = 0, privacyAct2 = 0;
886     for (auto &entry : policyEntries) {
887         RUNNER_ASSERT_MSG(entry.getAppId() == app1.getAppId() || entry.getAppId() == app2.getAppId(),
888                           "Invalid appId: should be either " << app1.getAppId() << " or "
889                           << app2.getAppId() << " but is " << entry.getAppId());
890         if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(entry.getPrivilege())) {
891             RUNNER_ASSERT_MSG(entry.getCurrentLevel() == PolicyEntry::LEVEL_ASK_USER,
892                               "Invalid policy setup; policy should be \"Ask user\" but is "
893                               << entry.getCurrentLevel());
894             if (entry.getAppId() == app1.getAppId())
895                 ++privacyAct1;
896             else
897                 ++privacyAct2;
898         }
899     }
900     RUNNER_ASSERT_MSG(privacyCount1 == privacyAct1, "Should be " << privacyCount1
901                       << " privacy privileges, but is " << privacyAct1);
902     RUNNER_ASSERT_MSG(privacyCount2 == privacyAct2, "Should be " << privacyCount2
903                       << " privacy privileges, but is " << privacyAct2);
904 }
905
906 RUNNER_CHILD_TEST(security_manager_19a_privacy_manager_privacy_related_privileges_policy_hybrid)
907 {
908     test_privacy_related_privileges(true);
909 }
910
911 RUNNER_CHILD_TEST(security_manager_19b_privacy_manager_privacy_related_privileges_policy_no_hybrid)
912 {
913     test_privacy_related_privileges(false);
914 }
915
916 RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privileges_policy_admin_check)
917 {
918     TemporaryTestUser user("sm_test_20_username", GUM_USERTYPE_NORMAL);
919     user.create();
920
921     AppInstallHelper app("sm_test_20", user.getUid());
922     app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
923
924     PkgPrivacyPrivileges setupPrivacyPrivs(app);
925     ScopedInstaller installer(app);
926
927     CynaraTestAdmin::Admin admin;
928     int policyType = CYNARA_ADMIN_ALLOW;
929     int privacyPolicyType = -1;
930     if (PolicyConfiguration::getIsAskuserEnabled())
931         admin.getPolicyTypeForDescription(PolicyEntry::LEVEL_ASK_USER, privacyPolicyType);
932
933     for (auto &priv : app.getPrivileges()) {
934         if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(priv)) {
935             admin.adminCheck("", true, app.generateAppLabel().c_str(),
936                              user.getUidString().c_str(), priv, privacyPolicyType,
937                              nullptr);
938         } else {
939             admin.adminCheck("", true, app.generateAppLabel().c_str(),
940                              user.getUidString().c_str(), priv, policyType, nullptr);
941         }
942     }
943 }
944
945 RUNNER_CHILD_TEST(security_manager_21_fetch_app_manifest_invalid_params)
946 {
947     int ret = security_manager_get_app_manifest_policy(nullptr, 0, nullptr, nullptr);
948     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_INPUT_PARAM, "Expected invalid input param, returned " << ret);
949 }
950
951
952 RUNNER_CHILD_TEST(security_manager_22_fetch_app_manifest_no_app)
953 {
954     char **privileges;
955     size_t nPrivs = 0;
956     int ret = security_manager_get_app_manifest_policy("not_existing_app_id", 0, &privileges, &nPrivs);
957     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "Expected no such object error, returned " << ret);
958 }
959
960 RUNNER_CHILD_TEST(security_manager_23_fetch_app_manifest_invalid_user)
961 {
962     TemporaryTestUser user("sm_test_23_fetch_username", GUM_USERTYPE_NORMAL);
963     user.create();
964
965     AppInstallHelper app("security_manager_23_fetch", user.getUid());
966     app.setInstallType(SM_APP_INSTALL_LOCAL);
967     app.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
968     ScopedInstaller appInstall(app);
969
970     char **privileges;
971     size_t nPrivs = 0;
972     int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
973     // Should security-manager check if user exists?
974     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
975     RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
976 }
977
978 static void check_privileges_from_manifest(const AppInstallHelper &aih, char **privileges, size_t nPrivs)
979 {
980     auto& aihPrivs = aih.getPrivileges();
981     RUNNER_ASSERT_MSG(nPrivs == aihPrivs.size(), "Expected privileges number: " << aihPrivs.size() << ", got " << nPrivs);
982     for (size_t i = 0; i < nPrivs; ++i) {
983         RUNNER_ASSERT_MSG(std::find(aihPrivs.begin(), aihPrivs.end(), std::string(privileges[i])) != aihPrivs.end(),
984                           "Privilege " << privileges[i] << " not found");
985     }
986 }
987
988 RUNNER_CHILD_TEST(security_manager_24_fetch_app_manifest_global_app)
989 {
990     TemporaryTestUser user("sm_test_24_fetch_username", GUM_USERTYPE_NORMAL);
991     user.create();
992
993     AppInstallHelper app("security_manager_24_fetch");
994     app.setInstallType(SM_APP_INSTALL_GLOBAL);
995     app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
996     ScopedInstaller appInstall(app);
997
998     char **privileges;
999     size_t nPrivs = 0;
1000
1001     int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
1002     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1003     check_privileges_from_manifest(app, privileges, nPrivs);
1004     security_manager_privileges_free(privileges, nPrivs);
1005
1006     // since app is installed globally, also for our temporary user the returned list should be the same
1007     nPrivs = 0;
1008     ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1009     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1010     check_privileges_from_manifest(app, privileges, nPrivs);
1011     security_manager_privileges_free(privileges, nPrivs);
1012 }
1013
1014 RUNNER_CHILD_TEST(security_manager_25_fetch_app_manifest_local_app)
1015 {
1016     TemporaryTestUser user("sm_test_25_fetch_username", GUM_USERTYPE_NORMAL);
1017     user.create();
1018
1019     AppInstallHelper app("security_manager_25_fetch", user.getUid());
1020     app.setInstallType(SM_APP_INSTALL_LOCAL);
1021     app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1022     ScopedInstaller appInstall(app);
1023
1024     char **privileges;
1025     size_t nPrivs = 0;
1026
1027     int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1028     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1029     check_privileges_from_manifest(app, privileges, nPrivs);
1030     security_manager_privileges_free(privileges, nPrivs);
1031
1032     // since app is installed locally, if we ask for other user (ie. root), we should get empty list of privileges
1033     nPrivs = 0;
1034     ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
1035     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1036     RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
1037 }
1038
1039 RUNNER_CHILD_TEST(security_manager_26_fetch_app_manifest_both_apps)
1040 {
1041     TemporaryTestUser user("sm_test_26_fetch_username", GUM_USERTYPE_NORMAL);
1042     user.create();
1043
1044     AppInstallHelper appGlobal("security_manager_26_fetch");
1045     appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL);
1046     appGlobal.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ});
1047     ScopedInstaller appGlobalInstall(appGlobal);
1048
1049     AppInstallHelper appLocal("security_manager_26_fetch", user.getUid());
1050     appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
1051     appLocal.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1052     ScopedInstaller appLocalInstall(appLocal);
1053
1054
1055     char **privileges;
1056     size_t nPrivs = 0;
1057
1058     int ret = security_manager_get_app_manifest_policy(appLocal.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1059     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1060     check_privileges_from_manifest(appLocal, privileges, nPrivs);
1061     security_manager_privileges_free(privileges, nPrivs);
1062
1063     nPrivs = 0;
1064     ret = security_manager_get_app_manifest_policy(appGlobal.getAppId().c_str(), 0, &privileges, &nPrivs);
1065     RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected succes, returned " << ret);
1066     check_privileges_from_manifest(appGlobal, privileges, nPrivs);
1067     security_manager_privileges_free(privileges, nPrivs);
1068 }
1069
1070 RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_app_context_local_positive)
1071 {
1072     TemporaryTestUser user("sm_test_27_fetch_username", GUM_USERTYPE_NORMAL);
1073     user.create();
1074
1075     AppInstallHelper app("security_manager_27_fetch", user.getUid());
1076     app.setInstallType(SM_APP_INSTALL_LOCAL);
1077     app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1078     ScopedInstaller appInstall(app);
1079
1080     pid_t pid = fork();
1081     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1082     if (pid != 0) { //parent process
1083         waitPid(pid);
1084     } else { //child process
1085         Api::setProcessLabel(app.getAppId());
1086         RUNNER_ASSERT_ERRNO_MSG(
1087                 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1088                 "drop_root_privileges failed");
1089         char **privileges;
1090         size_t nPrivs = 0;
1091         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1092         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1093         check_privileges_from_manifest(app, privileges, nPrivs);
1094         security_manager_privileges_free(privileges, nPrivs);
1095         exit(0);
1096     }
1097 }
1098
1099 RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_positive)
1100 {
1101     TemporaryTestUser user("sm_test_28_fetch_username", GUM_USERTYPE_NORMAL);
1102     user.create();
1103
1104     AppInstallHelper app("security_manager_28_fetch");
1105     app.setInstallType(SM_APP_INSTALL_GLOBAL);
1106     app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1107     ScopedInstaller appInstall(app);
1108
1109     pid_t pid = fork();
1110     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1111     if (pid != 0) { //parent process
1112         waitPid(pid);
1113     } else { //child process
1114         Api::setProcessLabel(app.getAppId());
1115         RUNNER_ASSERT_ERRNO_MSG(
1116                 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1117                 "drop_root_privileges failed");
1118         char **privileges;
1119         size_t nPrivs = 0;
1120         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1121         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1122         check_privileges_from_manifest(app, privileges, nPrivs);
1123         security_manager_privileges_free(privileges, nPrivs);
1124         exit(0);
1125     }
1126 }
1127
1128 RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_different_uid)
1129 {
1130     TemporaryTestUser user("sm_test_29_fetch_username", GUM_USERTYPE_NORMAL);
1131     user.create();
1132
1133     TemporaryTestUser user1("sm_test_29_fetch_username_1", GUM_USERTYPE_NORMAL);
1134     user1.create();
1135
1136     AppInstallHelper app("security_manager_29_fetch", user.getUid());
1137     app.setInstallType(SM_APP_INSTALL_LOCAL);
1138     app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1139     ScopedInstaller appInstall(app);
1140
1141     AppInstallHelper app1("security_manager_29_fetch", user1.getUid());
1142     app1.setInstallType(SM_APP_INSTALL_LOCAL);
1143     app1.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ});
1144     ScopedInstaller appInstall1(app1);
1145
1146
1147     pid_t pid = fork();
1148     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1149     if (pid != 0) { //parent process
1150         waitPid(pid);
1151     } else { //child process
1152         Api::setProcessLabel(app1.getAppId());
1153         RUNNER_ASSERT_ERRNO_MSG(
1154                 drop_root_privileges(user1.getUid(), user1.getGid()) == 0,
1155                 "drop_root_privileges failed");
1156         char **privileges;
1157         size_t nPrivs = 0;
1158         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1159         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected auth failed, returned " << ret);
1160
1161         nPrivs = 0;
1162         ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user1.getUid(), &privileges, &nPrivs);
1163         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1164         check_privileges_from_manifest(app1, privileges, nPrivs);
1165         security_manager_privileges_free(privileges, nPrivs);
1166         exit(0);
1167     }
1168 }
1169
1170 RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_different_label)
1171 {
1172     TemporaryTestUser user("sm_test_30_fetch_username", GUM_USERTYPE_NORMAL);
1173     user.create();
1174
1175     AppInstallHelper app("security_manager_30_fetch", user.getUid());
1176     app.setInstallType(SM_APP_INSTALL_LOCAL);
1177     app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1178     ScopedInstaller appInstall(app);
1179
1180     AppInstallHelper app1("security_manager_30_fetch_1", user.getUid());
1181     app1.setInstallType(SM_APP_INSTALL_LOCAL);
1182     app1.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ});
1183     ScopedInstaller appInstall1(app1);
1184
1185
1186     pid_t pid = fork();
1187     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1188     if (pid != 0) { //parent process
1189         waitPid(pid);
1190     } else { //child process
1191         Api::setProcessLabel(app1.getAppId());
1192         RUNNER_ASSERT_ERRNO_MSG(
1193                 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1194                 "drop_root_privileges failed");
1195         char **privileges;
1196         size_t nPrivs = 0;
1197         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1198         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected auth failed, returned " << ret);
1199
1200         nPrivs = 0;
1201         ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1202         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1203         check_privileges_from_manifest(app1, privileges, nPrivs);
1204         security_manager_privileges_free(privileges, nPrivs);
1205         exit(0);
1206     }
1207 }
1208
1209 RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_different_label_with_privilege)
1210 {
1211     TemporaryTestUser user("sm_test_31_fetch_username", GUM_USERTYPE_ADMIN);
1212     user.create();
1213
1214     AppInstallHelper app("security_manager_31_fetch", user.getUid());
1215     app.setInstallType(SM_APP_INSTALL_LOCAL);
1216     app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1217     ScopedInstaller appInstall(app);
1218
1219     AppInstallHelper app1("security_manager_31_fetch_1", user.getUid());
1220     app1.setInstallType(SM_APP_INSTALL_LOCAL);
1221     app1.addPrivileges({PRIV_CALENDAR_READ,
1222                         PRIV_CALENDAR_WRITE,
1223                         PRIV_CONTACTS_READ,
1224                         PRIV_INTERNAL_USERMANAGEMENT});
1225     ScopedInstaller appInstall1(app1);
1226
1227
1228     pid_t pid = fork();
1229     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1230     if (pid != 0) { //parent process
1231         waitPid(pid);
1232     } else { //child process
1233         Api::setProcessLabel(app1.getAppId());
1234         RUNNER_ASSERT_ERRNO_MSG(
1235                 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1236                 "drop_root_privileges failed");
1237         char **privileges;
1238         size_t nPrivs = 0;
1239         int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1240         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1241         check_privileges_from_manifest(app, privileges, nPrivs);
1242         security_manager_privileges_free(privileges, nPrivs);
1243
1244         nPrivs = 0;
1245         ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1246         RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1247         check_privileges_from_manifest(app1, privileges, nPrivs);
1248         security_manager_privileges_free(privileges, nPrivs);
1249         exit(0);
1250     }
1251 }
Domain: Security / Uncategorized;