2 * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/types.h>
23 #include <unordered_set>
27 #include <app_install_helper.h>
28 #include <cynara_test_admin.h>
29 #include <dpl/test/test_runner.h>
30 #include <dpl/test/test_runner_child.h>
31 #include <pkg_privacy_privileges.h>
32 #include <policy_configuration.h>
33 #include <scoped_installer.h>
35 #include <sm_commons.h>
36 #include <sm_policy_request.h>
37 #include <sm_request.h>
38 #include <synchronization_pipe.h>
39 #include <temp_test_user.h>
40 #include <tests_common.h>
41 #include <privilege_names.h>
42 #include <app_def_privilege.h>
44 using namespace SecurityManagerTest;
45 using namespace PrivilegeNames;
52 // Privileges required for having permission to self/admin get/set policies.
53 const std::string& SELF_PRIVILEGE = PRIV_NOTEXIST;
54 const std::string& ADMIN_PRIVILEGE = PRIV_INTERNAL_USERMANAGEMENT;
56 const std::vector<PrivilegeVector> TEST_PRIVILEGES = {
57 {PRIV_INTERNET, PRIV_DISPLAY},
58 {PRIV_TELEPHONY, PRIV_DATASHARING},
59 {PRIV_CONTENT_WRITE, PRIV_LED, PRIV_EMAIL},
60 {PRIV_LED, PRIV_EMAIL, PRIV_TELEPHONY, PRIV_DATASHARING},
61 {PRIV_INTERNET, PRIV_DISPLAY, PRIV_LED, PRIV_EMAIL}
64 const PrivilegeVector TEST_PRIVACY_PRIVILEGES[] = {
66 Privilege(PRIV_TELEPHONY),
68 Privilege(PRIV_CALLHISTORY_READ, Privilege::PRIVACY),
69 Privilege(PRIV_ACCOUNT_READ, Privilege::PRIVACY),
70 Privilege(PRIV_HEALTHINFO, Privilege::PRIVACY),
73 Privilege(PRIV_TELEPHONY),
75 Privilege(PRIV_CALLHISTORY_READ, Privilege::PRIVACY),
81 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
83 RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
85 TemporaryTestUser tmpUser("sm_test_10_user_name", GUM_USERTYPE_NORMAL, false);
88 unsigned expectedPolicyCount = 0;
89 std::map<std::string, AppInstallHelper> appIdToAIH;
90 for (unsigned i = 0; i < TEST_PRIVILEGES.size(); i++) {
91 AppInstallHelper app("sm_test_10_" + std::to_string(i), tmpUser.getUid());
92 app.addPrivileges(TEST_PRIVILEGES[i]);
93 expectedPolicyCount += app.getPrivileges().size();
94 appIdToAIH.emplace(app.getAppId(), std::move(app));
97 AppInstallHelper privManager("sm_test_10_privilege_manager", tmpUser.getUid());
98 std::string privManagerAppId = privManager.getAppId();
99 privManager.addPrivilege(SELF_PRIVILEGE);
100 expectedPolicyCount += privManager.getPrivileges().size();
101 appIdToAIH.emplace(privManager.getAppId(), std::move(privManager));
103 std::vector<ScopedInstaller> scopedInstallations;
104 for (const auto &appIdAIH : appIdToAIH) {
105 scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second));
109 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
110 if (pid != 0) { //parent process
112 } else { //child process
113 Api::setProcessLabel(privManagerAppId);
114 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
115 "drop_root_privileges failed");
117 std::vector<PolicyEntry> policyEntries;
118 Api::getPolicy(PolicyEntry(), policyEntries);
120 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
121 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
122 "Number of policies doesn't match - should be: " << expectedPolicyCount
123 << " and is " << policyEntries.size());
125 for (const auto &policyEntry : policyEntries) {
126 std::string user = policyEntry.getUser();
127 std::string app = policyEntry.getAppId();
128 std::string privilege = policyEntry.getPrivilege();
130 RUNNER_ASSERT_MSG(user == tmpUser.getUidString(), "Unexpected user: " << user);
132 auto appIt = appIdToAIH.find(app);
133 RUNNER_ASSERT_MSG(appIt != appIdToAIH.end(), "Policy returned unexpected app: " << app);
135 AppInstallHelper &aih = appIt->second;
136 auto& appPrivileges = aih.getPrivileges();
137 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
138 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
139 "Unexpected privilege " << privilege << " for app " << app);
145 RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
147 const std::string normalNameToSwitch = "sm_test_11_user_name_normal";
148 const std::vector<UserInfo> userInfos = {{normalNameToSwitch, GUM_USERTYPE_NORMAL},
149 {"sm_test_11_user_name_admin", GUM_USERTYPE_ADMIN}};
151 std::map<std::string, TemporaryTestUser> usernameToTTU;
152 // uid + app_id -> AppInstallHelper (different users can have same app_id installed)
153 std::map<std::pair<uid_t,std::string>, AppInstallHelper> userAppIdToAIH;
154 unsigned expectedPolicyCount = 0;
156 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
157 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
160 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
161 AppInstallHelper app("sm_test_11_" + std::to_string(p_i), user.getUid());
162 app.addPrivileges(TEST_PRIVILEGES[p_i]);
163 if (user.getUserName() == normalNameToSwitch) // Only entries for this user should be fetched
164 expectedPolicyCount += app.getPrivileges().size();
165 userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
168 usernameToTTU.emplace(userInfos[u_i].userName, std::move(user));
171 TemporaryTestUser &normalUserToSwitch = usernameToTTU.at(normalNameToSwitch);
173 AppInstallHelper privManager("sm_test_11_priv_manager", normalUserToSwitch.getUid());
174 std::string privManagerAppId = privManager.getAppId();
175 privManager.addPrivilege(SELF_PRIVILEGE);
176 expectedPolicyCount += privManager.getPrivileges().size();
177 userAppIdToAIH.emplace(std::make_pair(normalUserToSwitch.getUid(), privManager.getAppId()),
178 std::move(privManager));
180 std::vector<ScopedInstaller> scopedInstallations;
181 for (const auto &userAppIdAIH : userAppIdToAIH) {
182 scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
186 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
187 if (pid != 0) { //parent process
189 } else { //child process
190 Api::setProcessLabel(privManagerAppId);
191 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(),
192 normalUserToSwitch.getGid()) == 0,
193 "drop_root_privileges failed");
195 std::vector<PolicyEntry> policyEntries;
196 Api::getPolicy(PolicyEntry(), policyEntries);
198 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
199 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
200 "Number of policies doesn't match - should be: " << expectedPolicyCount
201 << " and is " << policyEntries.size());
203 for (const auto &policyEntry : policyEntries) {
204 // Expect policy only for current process user
205 std::string user = policyEntry.getUser();
206 std::string app = policyEntry.getAppId();
207 std::string privilege = policyEntry.getPrivilege();
209 RUNNER_ASSERT_MSG(normalUserToSwitch.getUidString() == user, "Unexpected user: " << user);
210 auto userAppIdToAIHIt = userAppIdToAIH.find(std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
211 RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
212 "Unknown app " << app << " for user " << user);
214 AppInstallHelper &aih = userAppIdToAIHIt->second;
215 auto privs = aih.getPrivileges();
217 auto& appPrivileges = aih.getPrivileges();
218 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
219 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
220 "Unexpected privilege " << privilege << " for app " << app);
226 RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
228 std::vector<PolicyEntry> oldPolicyVec;
229 Api::getPolicy(PolicyEntry(), oldPolicyVec);
230 std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
232 std::string adminNameToSwitch = "sm_test_12_user_name_admin";
233 const std::vector<UserInfo> userInfos = {{"sm_test_12_user_name_normal",GUM_USERTYPE_NORMAL},
234 {adminNameToSwitch, GUM_USERTYPE_ADMIN}};
236 std::map<std::string, TemporaryTestUser> usernameToTTU;
237 std::vector<std::string> uidStrings;
238 // uidstring + app_id -> AppInstallHelper
239 std::map<std::pair<uid_t, std::string>, AppInstallHelper> userAppIdToAIH;
240 unsigned expectedPolicyCount = oldPolicyVec.size();
242 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
243 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
245 uidStrings.push_back(user.getUidString());
247 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
248 AppInstallHelper app("sm_test_12_" + std::to_string(p_i), user.getUid());
249 // Shift privileges, so same app_id for different users doesn't have same privileges
250 app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
251 expectedPolicyCount += app.getPrivileges().size();
252 userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
254 usernameToTTU.emplace(user.getUserName(), std::move(user));
257 TemporaryTestUser &adminUserToSwitch = usernameToTTU.at(adminNameToSwitch);
259 AppInstallHelper privManager("sm_test_12_priv_manager", adminUserToSwitch.getUid());
260 std::string privManagerAppId = privManager.getAppId();
261 privManager.addPrivilege(SELF_PRIVILEGE);
262 privManager.addPrivilege(ADMIN_PRIVILEGE);
263 expectedPolicyCount += privManager.getPrivileges().size();
265 userAppIdToAIH.emplace(std::make_pair(adminUserToSwitch.getUid(), privManager.getAppId()),
266 std::move(privManager));
268 std::vector<ScopedInstaller> scopedInstallations;
269 for (const auto &userAppIdAIH : userAppIdToAIH) {
270 scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
274 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
275 if (pid != 0) { //parent process
277 } else { //child process
278 Api::setProcessLabel(privManagerAppId);
279 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
280 adminUserToSwitch.getGid()) == 0,
281 "drop_root_privileges failed");
283 std::vector<PolicyEntry> policyEntries;
284 Api::getPolicy(PolicyEntry(), policyEntries);
285 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
286 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
287 "Number of policies doesn't match - should be: " << expectedPolicyCount
288 << " and is " << policyEntries.size());
290 for (const auto &policyEntry : policyEntries) {
291 // Expect policy for all users to be returned
292 if (oldPolicySet.count(policyEntry))
294 std::string user = policyEntry.getUser();
295 std::string app = policyEntry.getAppId();
296 std::string privilege = policyEntry.getPrivilege();
298 auto uidStringIt = std::find(uidStrings.begin(), uidStrings.end(), user);
299 RUNNER_ASSERT_MSG(uidStringIt != uidStrings.end(), "Unexpected user: " << user);
301 auto userAppIdToAIHIt = userAppIdToAIH.find(
302 std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
303 RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
304 "Unknown app " << app << " for user " << user);
306 AppInstallHelper &aih = userAppIdToAIHIt->second;
307 auto privs = aih.getPrivileges();
309 auto& appPrivileges = aih.getPrivileges();
310 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
311 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
312 "Unexpected privilege " << privilege << " for app " << app);
318 RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
320 std::string normalName = "sm_test_13_user_name_normal";
321 std::string adminName = "sm_test_13_user_name_admin";
322 const std::vector<UserInfo> userInfos = {{normalName,GUM_USERTYPE_NORMAL},
323 {adminName, GUM_USERTYPE_ADMIN}};
325 std::map<std::string, TemporaryTestUser> usernameToTTU;
326 std::map<uid_t, std::vector<AppInstallHelper>> uidToAIHs;
327 unsigned expectedPolicyCount = 0;
328 std::string privManagerAppId;
330 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
331 //Only entries for one of the users will be listed
332 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
335 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
336 AppInstallHelper app("sm_test_13_" + std::to_string(p_i), user.getUid());
337 // Shift privileges, so same app_id for different user doesn't have same privileges
338 app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
339 expectedPolicyCount += app.getPrivileges().size();
340 uidToAIHs[user.getUid()].emplace_back(std::move(app));
342 AppInstallHelper privManager("sm_test_13_priv_manager", user.getUid());
343 privManagerAppId = privManager.getAppId();
344 privManager.addPrivilege(SELF_PRIVILEGE);
345 expectedPolicyCount += privManager.getPrivileges().size();
346 uidToAIHs[user.getUid()].emplace_back(std::move(privManager));
348 usernameToTTU.emplace(user.getUserName(), std::move(user));
351 std::vector<ScopedInstaller> scopedInstallations;
352 for (const auto &userAIHs : uidToAIHs) {
353 for (const auto &aih : userAIHs.second)
354 scopedInstallations.emplace_back(ScopedInstaller(aih));
357 TemporaryTestUser &adminUser = usernameToTTU.at(adminName);
358 TemporaryTestUser &normalUser = usernameToTTU.at(normalName);
361 RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
362 if (pid == 0) { //child #1 process
363 Api::setProcessLabel(privManagerAppId);
364 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0,
365 "drop_root_privileges failed");
366 auto &app1 = uidToAIHs[normalUser.getUid()][0];
367 auto &app2 = uidToAIHs[normalUser.getUid()][0];
368 PolicyRequest policyRequest;
369 PolicyEntry policyEntry(
371 normalUser.getUidString(),
372 app1.getPrivileges()[0]
374 policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
376 policyRequest.addEntry(policyEntry);
377 policyEntry = PolicyEntry(
379 normalUser.getUidString(),
380 app1.getPrivileges()[1]
382 policyEntry.setLevel(PolicyEntry::LEVEL_DENY);
383 policyRequest.addEntry(policyEntry);
384 Api::sendPolicy(policyRequest);
390 RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
391 if (pid == 0) { //child #2 process
392 Api::setProcessLabel(privManagerAppId);
393 // Admin user, but in context of app, which doesn't have usermanagement privilege
394 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
395 "drop_root_privileges failed");
397 PolicyEntry filter = PolicyEntry(
398 SECURITY_MANAGER_ANY,
399 normalUser.getUidString(),
402 std::vector<PolicyEntry> policyEntries;
403 //U2 requests contents of U1 privacy manager - should fail
404 Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
405 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
406 << policyEntries.size() << " entries");
408 filter = PolicyEntry(
409 SECURITY_MANAGER_ANY,
410 SECURITY_MANAGER_ANY,
414 policyEntries.clear();
416 //U2 requests contents of ADMIN bucket - should fail
417 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
418 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
419 << policyEntries.size() << " entries");
427 RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
429 TemporaryTestUser adminUserToSwitch("sm_test_14_user_name_admin", GUM_USERTYPE_ADMIN);
430 adminUserToSwitch.create();
432 AppInstallHelper privManager("sm_test_14_priv_manager", adminUserToSwitch.getUid());
433 privManager.addPrivilege(ADMIN_PRIVILEGE);
435 ScopedInstaller privManagerInstall(privManager);
440 } else { //child process
441 Api::setProcessLabel(privManager.getAppId());
442 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
443 adminUserToSwitch.getGid()) == 0,
444 "drop_root_privileges failed");
446 PolicyRequest setPolicyRequest;
447 std::vector<PolicyEntry> policyEntries;
449 PolicyEntry internetPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, PRIV_INTERNET);
450 internetPolicyEntry.setMaxLevel(PolicyEntry::LEVEL_DENY);
451 setPolicyRequest.addEntry(internetPolicyEntry);
453 PolicyEntry displayPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, PRIV_DISPLAY);
454 displayPolicyEntry.setMaxLevel(PolicyEntry::LEVEL_DENY);
455 setPolicyRequest.addEntry(displayPolicyEntry);
457 Api::sendPolicy(setPolicyRequest);
459 Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
460 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2"
461 " and is " << policyEntries.size());
463 PolicyRequest delPolicyRequest;
465 internetPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
466 delPolicyRequest.addEntry(internetPolicyEntry);
468 displayPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
469 delPolicyRequest.addEntry(displayPolicyEntry);
471 Api::sendPolicy(delPolicyRequest);
473 policyEntries.clear();
474 Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
475 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0"
476 " and is " << policyEntries.size());
481 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
483 const std::string& updatePriv = PRIV_LED;
485 TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
488 AppInstallHelper updatedApp("security_manager_15_update");
489 ScopedInstaller updatedAppInstall(updatedApp);
491 AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
492 privManager.addPrivilege(ADMIN_PRIVILEGE);
493 ScopedInstaller privManagerInstall(privManager);
496 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
497 if (pid != 0) { //parent process
499 CynaraTestAdmin::Admin admin;
500 admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(),
501 adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
504 Api::setProcessLabel(privManager.getAppId());
506 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
507 "drop_root_privileges failed");
509 PolicyEntry entry(updatedApp.getAppId(), adminUser.getUidString(), updatePriv);
510 entry.setMaxLevel(PolicyEntry::LEVEL_ALLOW);
511 PolicyRequest addPolicyRequest;
512 addPolicyRequest.addEntry(entry);
513 Api::sendPolicy(addPolicyRequest);
518 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
520 const std::string& updatePriv = PRIV_LED;
522 TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
525 AppInstallHelper app("security_manager_15");
526 ScopedInstaller appInstall(app);
528 AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
529 privManager.addPrivilege(ADMIN_PRIVILEGE);
530 ScopedInstaller privManagerInstall(privManager);
533 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
536 CynaraTestAdmin::Admin admin;
537 admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(),
538 adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
541 Api::setProcessLabel(privManager.getAppId());
542 RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
543 "drop_root_privileges failed");
545 PolicyEntry entry(SECURITY_MANAGER_ANY, adminUser.getUidString(), updatePriv);
546 entry.setMaxLevel(PolicyEntry::LEVEL_ALLOW);
548 PolicyRequest addPolicyRequest;
549 addPolicyRequest.addEntry(entry);
550 Api::sendPolicy(addPolicyRequest);
555 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
557 const std::string& updatePriv = PRIV_LED;
559 TemporaryTestUser user("sm_test_15_username", GUM_USERTYPE_NORMAL);
562 AppInstallHelper app("security_manager_15");
563 ScopedInstaller appInstall(app);
565 AppInstallHelper privManager("security_manager_15_priv_manager", user.getUid());
566 privManager.addPrivilege(SELF_PRIVILEGE);
567 ScopedInstaller privManagerInstall(privManager);
570 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
573 CynaraTestAdmin::Admin admin;
574 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
575 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
577 Api::setProcessLabel(privManager.getAppId());
578 RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
579 "drop_root_privileges failed");
581 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
582 entry.setLevel(PolicyEntry::LEVEL_ALLOW);
584 PolicyRequest addPolicyRequest;
585 addPolicyRequest.addEntry(entry);
586 Api::sendPolicy(addPolicyRequest);
591 RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
593 TemporaryTestUser user("sm_test_16_user_name", GUM_USERTYPE_NORMAL);
597 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
601 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
602 "drop_root_privileges failed");
606 int ret = security_manager_policy_levels_get(&levels, &count);
607 RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
608 "Invlid return code: " << ret);
609 std::unique_ptr<char *, std::function<void(char**)>> descriptionsPtr(levels,
610 [count](char **levels) { security_manager_policy_levels_free(levels, count);});
612 RUNNER_ASSERT_MSG(count >= 2, "Invalid number of policy levels. Should be 3,"
613 " instead there is: " << count);
615 std::string denyPolicy = std::string(levels[0]);
616 std::string allowPolicy = std::string(levels[count-1]);
618 // first should always be Deny
619 RUNNER_ASSERT_MSG(denyPolicy.compare(PolicyEntry::LEVEL_DENY) == 0,
620 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
622 // last should always be Allow
623 RUNNER_ASSERT_MSG(allowPolicy.compare(PolicyEntry::LEVEL_ALLOW) == 0,
624 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
629 RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self)
631 const std::string& updatePriv = PRIV_LED;
633 TemporaryTestUser user("sm_test_17a_username", GUM_USERTYPE_NORMAL);
636 AppInstallHelper app("security_manager_17a");
637 ScopedInstaller appInstall(app);
639 SynchronizationPipe synchPipe;
641 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
643 synchPipe.claimParentEp();
646 CynaraTestAdmin::Admin admin;
647 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
648 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
652 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
653 updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
656 synchPipe.claimChildEp();
657 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
658 "drop_root_privileges failed");
660 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
661 entry.setLevel(PolicyEntry::LEVEL_ALLOW);
662 PolicyRequest addPolicyRequest;
663 addPolicyRequest.addEntry(entry);
664 Api::sendPolicy(addPolicyRequest);
668 PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
669 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
670 PolicyRequest deletePolicyRequest;
671 deletePolicyRequest.addEntry(deleteEntry);
672 Api::sendPolicy(deletePolicyRequest);
679 RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self)
681 const std::string& updatePriv = PRIV_LED;
683 TemporaryTestUser user("sm_test_17b_username", GUM_USERTYPE_NORMAL);
686 AppInstallHelper app("security_manager_17b");
687 ScopedInstaller appInstall(app);
689 AppInstallHelper privManager("security_manager_17b_priv_manager", user.getUid());
690 privManager.addPrivilege(SELF_PRIVILEGE);
691 ScopedInstaller privManagerInstall(privManager);
693 SynchronizationPipe synchPipe;
695 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
697 synchPipe.claimParentEp();
699 CynaraTestAdmin::Admin admin;
700 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
701 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
705 admin.adminCheck("", false, app.generateAppLabel().c_str(),
706 user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
710 synchPipe.claimChildEp();
711 Api::setProcessLabel(privManager.getAppId());
712 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
713 "drop_root_privileges failed");
715 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
716 entry.setLevel(PolicyEntry::LEVEL_ALLOW);
717 PolicyRequest addPolicyRequest;
718 addPolicyRequest.addEntry(entry);
719 Api::sendPolicy(addPolicyRequest);
723 PolicyRequest deletePolicyRequest;
724 PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
725 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
726 deletePolicyRequest.addEntry(deleteEntry);
727 Api::sendPolicy(deletePolicyRequest);
733 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
735 const std::string username("sm_test_17_user_name");
736 std::vector<AppInstallHelper> appHelpers;
737 std::vector<ScopedInstaller> scopedInstallations;
738 std::map<std::string, unsigned> privToCount;
739 unsigned policyCount = 0;
741 TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
744 for (unsigned int i = 0; i < TEST_PRIVILEGES.size(); i++) {
745 AppInstallHelper app("sm_test_17_" + std::to_string(i), user.getUid());
746 app.addPrivileges(TEST_PRIVILEGES[i]);
747 policyCount += app.getPrivileges().size();
749 appHelpers.emplace_back(std::move(app));
750 for (auto &priv: TEST_PRIVILEGES[i]) {
755 AppInstallHelper privManager("sm_test_17_priv_manager", user.getUid());
756 std::string privManagerAppId = privManager.getAppId();
757 privManager.addPrivilege(SELF_PRIVILEGE);
758 privToCount[SELF_PRIVILEGE]++;
759 policyCount += privManager.getPrivileges().size();
761 appHelpers.emplace_back(std::move(privManager));
762 for (const auto &app : appHelpers)
763 scopedInstallations.emplace_back(std::move(ScopedInstaller(app)));
766 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
767 if (pid != 0)//parent process
771 Api::setProcessLabel(privManagerAppId);
772 RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
773 "drop_root_privileges failed");
775 for (const auto &privCount : privToCount) {
776 std::vector<PolicyEntry> policyEntries;
777 PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, privCount.first);
778 Api::getPolicy(filter, policyEntries);
779 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
780 RUNNER_ASSERT_MSG(policyEntries.size() == privCount.second,
781 "Number of policies doesn't match - should be: " << privCount.second
782 << " and is " << policyEntries.size());
785 for (const auto &app : appHelpers) {
786 std::vector<PolicyEntry> policyEntries;
787 PolicyEntry filter(app.getAppId(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
788 Api::getPolicy(filter, policyEntries);
789 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
790 RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
791 "Number of policies doesn't match - should be: " << app.getPrivileges().size()
792 << " and is " << policyEntries.size());
795 std::vector<PolicyEntry> policyEntries;
796 PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
797 Api::getPolicy(filter, policyEntries);
798 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
799 RUNNER_ASSERT_MSG(policyEntries.size() == policyCount,
800 "Number of policies doesn't match - should be: " << policyCount
801 << " and is " << policyEntries.size());
807 RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove)
809 TemporaryTestUser user("sm_test_18_username", GUM_USERTYPE_NORMAL);
812 AppInstallHelper app("sm_test_18", user.getUid());
813 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
815 PolicyEntry filter (app.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
816 std::vector<PolicyEntry> policyEntries;
818 PkgPrivacyPrivileges setupPrivacyPrivs(app);
819 ScopedInstaller installer(app);
820 unsigned int privacyNum = countPrivacyPrivileges(app.getPrivileges());
822 Api::getPolicy(filter, policyEntries);
824 RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
825 "Number of policy entries doesn't match; should be " << app.getPrivileges().size()
826 << " but is " << policyEntries.size());
828 if (PolicyConfiguration::getIsAskuserEnabled() ) {
829 unsigned int privacyActNum = 0;
830 for (auto &entry : policyEntries)
831 if (isPrivilegePrivacy(entry.getPrivilege())) {
832 RUNNER_ASSERT_MSG(entry.getCurrentLevel() == PolicyEntry::LEVEL_ASK_USER,
833 "Invalid policy setup; policy should be \"Ask user\" but is "
834 << entry.getCurrentLevel());
837 RUNNER_ASSERT_MSG(privacyActNum == privacyNum,
838 "Should be " << privacyNum << " privacy privileges,"
839 "but is " << privacyActNum);
843 policyEntries.clear();
844 Api::getPolicy(filter, policyEntries);
845 RUNNER_ASSERT_MSG(policyEntries.size() == 0,
846 "After deinstallation, policy entries size should be 0,"
847 "but is: " << policyEntries.size());
850 void test_privacy_related_privileges(bool isHybrid) {
851 TemporaryTestUser user("sm_test_19_username", GUM_USERTYPE_NORMAL);
854 const std::string pkgId = "sm_test_19_pkg_id";
856 AppInstallHelper app1("sm_test_19_app_id_1", pkgId, user.getUid());
859 app1.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
860 PkgPrivacyPrivileges setupPrivacyPrivs1(app1);
861 ScopedInstaller installer1(app1);
863 AppInstallHelper app2("sm_test_19_app_id_2", pkgId, user.getUid());
866 app2.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
867 PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
868 ScopedInstaller installer2(app2);
870 int privacyCount1, privacyCount2;
871 if (!PolicyConfiguration::getIsAskuserEnabled()) {
874 } else if (isHybrid) {
875 privacyCount1 = countPrivacyPrivileges(app1.getPrivileges());
876 privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
878 privacyCount1 = privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
881 std::vector<PolicyEntry> policyEntries;
882 PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
883 Api::getPolicy(filter, policyEntries);
885 int privacyAct1 = 0, privacyAct2 = 0;
886 for (auto &entry : policyEntries) {
887 RUNNER_ASSERT_MSG(entry.getAppId() == app1.getAppId() || entry.getAppId() == app2.getAppId(),
888 "Invalid appId: should be either " << app1.getAppId() << " or "
889 << app2.getAppId() << " but is " << entry.getAppId());
890 if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(entry.getPrivilege())) {
891 RUNNER_ASSERT_MSG(entry.getCurrentLevel() == PolicyEntry::LEVEL_ASK_USER,
892 "Invalid policy setup; policy should be \"Ask user\" but is "
893 << entry.getCurrentLevel());
894 if (entry.getAppId() == app1.getAppId())
900 RUNNER_ASSERT_MSG(privacyCount1 == privacyAct1, "Should be " << privacyCount1
901 << " privacy privileges, but is " << privacyAct1);
902 RUNNER_ASSERT_MSG(privacyCount2 == privacyAct2, "Should be " << privacyCount2
903 << " privacy privileges, but is " << privacyAct2);
906 RUNNER_CHILD_TEST(security_manager_19a_privacy_manager_privacy_related_privileges_policy_hybrid)
908 test_privacy_related_privileges(true);
911 RUNNER_CHILD_TEST(security_manager_19b_privacy_manager_privacy_related_privileges_policy_no_hybrid)
913 test_privacy_related_privileges(false);
916 RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privileges_policy_admin_check)
918 TemporaryTestUser user("sm_test_20_username", GUM_USERTYPE_NORMAL);
921 AppInstallHelper app("sm_test_20", user.getUid());
922 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
924 PkgPrivacyPrivileges setupPrivacyPrivs(app);
925 ScopedInstaller installer(app);
927 CynaraTestAdmin::Admin admin;
928 int policyType = CYNARA_ADMIN_ALLOW;
929 int privacyPolicyType = -1;
930 if (PolicyConfiguration::getIsAskuserEnabled())
931 admin.getPolicyTypeForDescription(PolicyEntry::LEVEL_ASK_USER, privacyPolicyType);
933 for (auto &priv : app.getPrivileges()) {
934 if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(priv)) {
935 admin.adminCheck("", true, app.generateAppLabel().c_str(),
936 user.getUidString().c_str(), priv, privacyPolicyType,
939 admin.adminCheck("", true, app.generateAppLabel().c_str(),
940 user.getUidString().c_str(), priv, policyType, nullptr);
945 RUNNER_CHILD_TEST(security_manager_21_fetch_app_manifest_invalid_params)
947 int ret = security_manager_get_app_manifest_policy(nullptr, 0, nullptr, nullptr);
948 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_INPUT_PARAM, "Expected invalid input param, returned " << ret);
952 RUNNER_CHILD_TEST(security_manager_22_fetch_app_manifest_no_app)
956 int ret = security_manager_get_app_manifest_policy("not_existing_app_id", 0, &privileges, &nPrivs);
957 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "Expected no such object error, returned " << ret);
960 RUNNER_CHILD_TEST(security_manager_23_fetch_app_manifest_invalid_user)
962 TemporaryTestUser user("sm_test_23_fetch_username", GUM_USERTYPE_NORMAL);
965 AppInstallHelper app("security_manager_23_fetch", user.getUid());
966 app.setInstallType(SM_APP_INSTALL_LOCAL);
967 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
968 ScopedInstaller appInstall(app);
972 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
973 // Should security-manager check if user exists?
974 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
975 RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
978 static void check_privileges_from_manifest(const AppInstallHelper &aih, char **privileges, size_t nPrivs)
980 auto& aihPrivs = aih.getPrivileges();
981 RUNNER_ASSERT_MSG(nPrivs == aihPrivs.size(), "Expected privileges number: " << aihPrivs.size() << ", got " << nPrivs);
982 for (size_t i = 0; i < nPrivs; ++i) {
983 RUNNER_ASSERT_MSG(std::find(aihPrivs.begin(), aihPrivs.end(), std::string(privileges[i])) != aihPrivs.end(),
984 "Privilege " << privileges[i] << " not found");
988 RUNNER_CHILD_TEST(security_manager_24_fetch_app_manifest_global_app)
990 TemporaryTestUser user("sm_test_24_fetch_username", GUM_USERTYPE_NORMAL);
993 AppInstallHelper app("security_manager_24_fetch");
994 app.setInstallType(SM_APP_INSTALL_GLOBAL);
995 app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
996 ScopedInstaller appInstall(app);
1001 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
1002 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1003 check_privileges_from_manifest(app, privileges, nPrivs);
1004 security_manager_privileges_free(privileges, nPrivs);
1006 // since app is installed globally, also for our temporary user the returned list should be the same
1008 ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1009 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1010 check_privileges_from_manifest(app, privileges, nPrivs);
1011 security_manager_privileges_free(privileges, nPrivs);
1014 RUNNER_CHILD_TEST(security_manager_25_fetch_app_manifest_local_app)
1016 TemporaryTestUser user("sm_test_25_fetch_username", GUM_USERTYPE_NORMAL);
1019 AppInstallHelper app("security_manager_25_fetch", user.getUid());
1020 app.setInstallType(SM_APP_INSTALL_LOCAL);
1021 app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1022 ScopedInstaller appInstall(app);
1027 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1028 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1029 check_privileges_from_manifest(app, privileges, nPrivs);
1030 security_manager_privileges_free(privileges, nPrivs);
1032 // since app is installed locally, if we ask for other user (ie. root), we should get empty list of privileges
1034 ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), 0, &privileges, &nPrivs);
1035 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1036 RUNNER_ASSERT_MSG(nPrivs == 0, "Expected empty set of privileges, returned " << nPrivs);
1039 RUNNER_CHILD_TEST(security_manager_26_fetch_app_manifest_both_apps)
1041 TemporaryTestUser user("sm_test_26_fetch_username", GUM_USERTYPE_NORMAL);
1044 AppInstallHelper appGlobal("security_manager_26_fetch");
1045 appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL);
1046 appGlobal.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ});
1047 ScopedInstaller appGlobalInstall(appGlobal);
1049 AppInstallHelper appLocal("security_manager_26_fetch", user.getUid());
1050 appLocal.setInstallType(SM_APP_INSTALL_LOCAL);
1051 appLocal.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1052 ScopedInstaller appLocalInstall(appLocal);
1058 int ret = security_manager_get_app_manifest_policy(appLocal.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1059 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1060 check_privileges_from_manifest(appLocal, privileges, nPrivs);
1061 security_manager_privileges_free(privileges, nPrivs);
1064 ret = security_manager_get_app_manifest_policy(appGlobal.getAppId().c_str(), 0, &privileges, &nPrivs);
1065 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected succes, returned " << ret);
1066 check_privileges_from_manifest(appGlobal, privileges, nPrivs);
1067 security_manager_privileges_free(privileges, nPrivs);
1070 RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_app_context_local_positive)
1072 TemporaryTestUser user("sm_test_27_fetch_username", GUM_USERTYPE_NORMAL);
1075 AppInstallHelper app("security_manager_27_fetch", user.getUid());
1076 app.setInstallType(SM_APP_INSTALL_LOCAL);
1077 app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1078 ScopedInstaller appInstall(app);
1081 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1082 if (pid != 0) { //parent process
1084 } else { //child process
1085 Api::setProcessLabel(app.getAppId());
1086 RUNNER_ASSERT_ERRNO_MSG(
1087 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1088 "drop_root_privileges failed");
1091 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1092 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1093 check_privileges_from_manifest(app, privileges, nPrivs);
1094 security_manager_privileges_free(privileges, nPrivs);
1099 RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_positive)
1101 TemporaryTestUser user("sm_test_28_fetch_username", GUM_USERTYPE_NORMAL);
1104 AppInstallHelper app("security_manager_28_fetch");
1105 app.setInstallType(SM_APP_INSTALL_GLOBAL);
1106 app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1107 ScopedInstaller appInstall(app);
1110 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1111 if (pid != 0) { //parent process
1113 } else { //child process
1114 Api::setProcessLabel(app.getAppId());
1115 RUNNER_ASSERT_ERRNO_MSG(
1116 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1117 "drop_root_privileges failed");
1120 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1121 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1122 check_privileges_from_manifest(app, privileges, nPrivs);
1123 security_manager_privileges_free(privileges, nPrivs);
1128 RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_different_uid)
1130 TemporaryTestUser user("sm_test_29_fetch_username", GUM_USERTYPE_NORMAL);
1133 TemporaryTestUser user1("sm_test_29_fetch_username_1", GUM_USERTYPE_NORMAL);
1136 AppInstallHelper app("security_manager_29_fetch", user.getUid());
1137 app.setInstallType(SM_APP_INSTALL_LOCAL);
1138 app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1139 ScopedInstaller appInstall(app);
1141 AppInstallHelper app1("security_manager_29_fetch", user1.getUid());
1142 app1.setInstallType(SM_APP_INSTALL_LOCAL);
1143 app1.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ});
1144 ScopedInstaller appInstall1(app1);
1148 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1149 if (pid != 0) { //parent process
1151 } else { //child process
1152 Api::setProcessLabel(app1.getAppId());
1153 RUNNER_ASSERT_ERRNO_MSG(
1154 drop_root_privileges(user1.getUid(), user1.getGid()) == 0,
1155 "drop_root_privileges failed");
1158 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1159 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected auth failed, returned " << ret);
1162 ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user1.getUid(), &privileges, &nPrivs);
1163 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1164 check_privileges_from_manifest(app1, privileges, nPrivs);
1165 security_manager_privileges_free(privileges, nPrivs);
1170 RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_different_label)
1172 TemporaryTestUser user("sm_test_30_fetch_username", GUM_USERTYPE_NORMAL);
1175 AppInstallHelper app("security_manager_30_fetch", user.getUid());
1176 app.setInstallType(SM_APP_INSTALL_LOCAL);
1177 app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1178 ScopedInstaller appInstall(app);
1180 AppInstallHelper app1("security_manager_30_fetch_1", user.getUid());
1181 app1.setInstallType(SM_APP_INSTALL_LOCAL);
1182 app1.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ});
1183 ScopedInstaller appInstall1(app1);
1187 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1188 if (pid != 0) { //parent process
1190 } else { //child process
1191 Api::setProcessLabel(app1.getAppId());
1192 RUNNER_ASSERT_ERRNO_MSG(
1193 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1194 "drop_root_privileges failed");
1197 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1198 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED, "Expected auth failed, returned " << ret);
1201 ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1202 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1203 check_privileges_from_manifest(app1, privileges, nPrivs);
1204 security_manager_privileges_free(privileges, nPrivs);
1209 RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_different_label_with_privilege)
1211 TemporaryTestUser user("sm_test_31_fetch_username", GUM_USERTYPE_ADMIN);
1214 AppInstallHelper app("security_manager_31_fetch", user.getUid());
1215 app.setInstallType(SM_APP_INSTALL_LOCAL);
1216 app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE});
1217 ScopedInstaller appInstall(app);
1219 AppInstallHelper app1("security_manager_31_fetch_1", user.getUid());
1220 app1.setInstallType(SM_APP_INSTALL_LOCAL);
1221 app1.addPrivileges({PRIV_CALENDAR_READ,
1222 PRIV_CALENDAR_WRITE,
1224 PRIV_INTERNAL_USERMANAGEMENT});
1225 ScopedInstaller appInstall1(app1);
1229 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
1230 if (pid != 0) { //parent process
1232 } else { //child process
1233 Api::setProcessLabel(app1.getAppId());
1234 RUNNER_ASSERT_ERRNO_MSG(
1235 drop_root_privileges(user.getUid(), user.getGid()) == 0,
1236 "drop_root_privileges failed");
1239 int ret = security_manager_get_app_manifest_policy(app.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1240 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1241 check_privileges_from_manifest(app, privileges, nPrivs);
1242 security_manager_privileges_free(privileges, nPrivs);
1245 ret = security_manager_get_app_manifest_policy(app1.getAppId().c_str(), user.getUid(), &privileges, &nPrivs);
1246 RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "Expected success, returned " << ret);
1247 check_privileges_from_manifest(app1, privileges, nPrivs);
1248 security_manager_privileges_free(privileges, nPrivs);