2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/types.h>
23 #include <unordered_set>
27 #include <app_install_helper.h>
28 #include <cynara_test_admin.h>
29 #include <dpl/test/test_runner.h>
30 #include <dpl/test/test_runner_child.h>
31 #include <policy_configuration.h>
32 #include <scoped_installer.h>
34 #include <sm_commons.h>
35 #include <sm_policy_request.h>
36 #include <sm_request.h>
37 #include <synchronization_pipe.h>
38 #include <temp_test_user.h>
39 #include <tests_common.h>
41 using namespace SecurityManagerTest;
48 // Privileges required for having permission to self/admin get/set policies.
49 const std::string SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
50 const std::string ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
52 typedef std::vector<std::string> Privileges;
53 const std::vector<Privileges> TEST_PRIVILEGES = {
55 "http://tizen.org/privilege/internet",
56 "http://tizen.org/privilege/display"
59 "http://tizen.org/privilege/telephony",
60 "http://tizen.org/privilege/datasharing"
63 "http://tizen.org/privilege/content.write",
64 "http://tizen.org/privilege/led",
65 "http://tizen.org/privilege/email"
68 "http://tizen.org/privilege/led",
69 "http://tizen.org/privilege/email",
70 "http://tizen.org/privilege/telephony",
71 "http://tizen.org/privilege/datasharing"
74 "http://tizen.org/privilege/internet",
75 "http://tizen.org/privilege/display",
76 "http://tizen.org/privilege/led",
77 "http://tizen.org/privilege/email"
81 const std::vector<Privileges> TEST_PRIVACY_PRIVILEGES = {
83 "http://tizen.org/privilege/telephony",
84 "http://tizen.org/privilege/led",
85 "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
86 "http://tizen.org/privilege/account.read",
87 "http://tizen.org/privilege/healthinfo"
90 "http://tizen.org/privilege/telephony",
91 "http://tizen.org/privilege/led",
92 "http://tizen.org/privilege/callhistory.read" // privacy-related privileges start here
98 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
100 RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
102 TemporaryTestUser tmpUser("sm_test_10_user_name", GUM_USERTYPE_NORMAL, false);
105 unsigned expectedPolicyCount = 0;
106 std::map<std::string, AppInstallHelper> appIdToAIH;
107 for (unsigned i = 0; i < TEST_PRIVILEGES.size(); i++) {
108 AppInstallHelper app("sm_test_10_" + std::to_string(i), tmpUser.getUid());
109 app.addPrivileges(TEST_PRIVILEGES[i]);
110 expectedPolicyCount += app.getPrivileges().size();
111 appIdToAIH.emplace(app.getAppId(), std::move(app));
114 AppInstallHelper privManager("sm_test_10_privilege_manager", tmpUser.getUid());
115 std::string privManagerAppId = privManager.getAppId();
116 privManager.addPrivilege(SELF_PRIVILEGE);
117 expectedPolicyCount += privManager.getPrivileges().size();
118 appIdToAIH.emplace(privManager.getAppId(), std::move(privManager));
120 std::vector<ScopedInstaller> scopedInstallations;
121 for (const auto &appIdAIH : appIdToAIH) {
122 scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second));
126 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
127 if (pid != 0) { //parent process
129 } else { //child process
130 Api::setProcessLabel(privManagerAppId);
131 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
132 "drop_root_privileges failed");
134 std::vector<PolicyEntry> policyEntries;
135 Api::getPolicy(PolicyEntry(), policyEntries);
137 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
138 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
139 "Number of policies doesn't match - should be: " << expectedPolicyCount
140 << " and is " << policyEntries.size());
142 for (const auto &policyEntry : policyEntries) {
143 std::string user = policyEntry.getUser();
144 std::string app = policyEntry.getAppId();
145 std::string privilege = policyEntry.getPrivilege();
147 RUNNER_ASSERT_MSG(user == tmpUser.getUidString(), "Unexpected user: " << user);
149 auto appIt = appIdToAIH.find(app);
150 RUNNER_ASSERT_MSG(appIt != appIdToAIH.end(), "Policy returned unexpected app: " << app);
152 AppInstallHelper &aih = appIt->second;
153 auto appPrivileges = aih.getPrivilegesNames();
154 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
155 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
156 "Unexpected privilege " << privilege << " for app " << app);
162 RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
164 const std::string normalNameToSwitch = "sm_test_11_user_name_normal";
165 const std::vector<UserInfo> userInfos = {{normalNameToSwitch, GUM_USERTYPE_NORMAL},
166 {"sm_test_11_user_name_admin", GUM_USERTYPE_ADMIN}};
168 std::map<std::string, TemporaryTestUser> usernameToTTU;
169 // uid + app_id -> AppInstallHelper (different users can have same app_id installed)
170 std::map<std::pair<uid_t,std::string>, AppInstallHelper> userAppIdToAIH;
171 unsigned expectedPolicyCount = 0;
173 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
174 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
177 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
178 AppInstallHelper app("sm_test_11_" + std::to_string(p_i), user.getUid());
179 app.addPrivileges(TEST_PRIVILEGES[p_i]);
180 if (user.getUserName() == normalNameToSwitch) // Only entries for this user should be fetched
181 expectedPolicyCount += app.getPrivileges().size();
182 userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
185 usernameToTTU.emplace(userInfos[u_i].userName, std::move(user));
188 TemporaryTestUser &normalUserToSwitch = usernameToTTU.at(normalNameToSwitch);
190 AppInstallHelper privManager("sm_test_11_priv_manager", normalUserToSwitch.getUid());
191 std::string privManagerAppId = privManager.getAppId();
192 privManager.addPrivilege(SELF_PRIVILEGE);
193 expectedPolicyCount += privManager.getPrivileges().size();
194 userAppIdToAIH.emplace(std::make_pair(normalUserToSwitch.getUid(), privManager.getAppId()),
195 std::move(privManager));
197 std::vector<ScopedInstaller> scopedInstallations;
198 for (const auto &userAppIdAIH : userAppIdToAIH) {
199 scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
203 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
204 if (pid != 0) { //parent process
206 } else { //child process
207 Api::setProcessLabel(privManagerAppId);
208 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(),
209 normalUserToSwitch.getGid()) == 0,
210 "drop_root_privileges failed");
212 std::vector<PolicyEntry> policyEntries;
213 Api::getPolicy(PolicyEntry(), policyEntries);
215 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
216 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
217 "Number of policies doesn't match - should be: " << expectedPolicyCount
218 << " and is " << policyEntries.size());
220 for (const auto &policyEntry : policyEntries) {
221 // Expect policy only for current process user
222 std::string user = policyEntry.getUser();
223 std::string app = policyEntry.getAppId();
224 std::string privilege = policyEntry.getPrivilege();
226 RUNNER_ASSERT_MSG(normalUserToSwitch.getUidString() == user, "Unexpected user: " << user);
227 auto userAppIdToAIHIt = userAppIdToAIH.find(std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
228 RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
229 "Unknown app " << app << " for user " << user);
231 AppInstallHelper &aih = userAppIdToAIHIt->second;
232 auto privs = aih.getPrivileges();
234 auto appPrivileges = aih.getPrivilegesNames();
235 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
236 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
237 "Unexpected privilege " << privilege << " for app " << app);
243 RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
245 std::vector<PolicyEntry> oldPolicyVec;
246 Api::getPolicy(PolicyEntry(), oldPolicyVec);
247 std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
249 std::string adminNameToSwitch = "sm_test_12_user_name_admin";
250 const std::vector<UserInfo> userInfos = {{"sm_test_12_user_name_normal",GUM_USERTYPE_NORMAL},
251 {adminNameToSwitch, GUM_USERTYPE_ADMIN}};
253 std::map<std::string, TemporaryTestUser> usernameToTTU;
254 std::vector<std::string> uidStrings;
255 // uidstring + app_id -> AppInstallHelper
256 std::map<std::pair<uid_t, std::string>, AppInstallHelper> userAppIdToAIH;
257 unsigned expectedPolicyCount = oldPolicyVec.size();
259 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
260 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
262 uidStrings.push_back(user.getUidString());
264 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
265 AppInstallHelper app("sm_test_12_" + std::to_string(p_i), user.getUid());
266 // Shift privileges, so same app_id for different users doesn't have same privileges
267 app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
268 expectedPolicyCount += app.getPrivileges().size();
269 userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
271 usernameToTTU.emplace(user.getUserName(), std::move(user));
274 TemporaryTestUser &adminUserToSwitch = usernameToTTU.at(adminNameToSwitch);
276 AppInstallHelper privManager("sm_test_12_priv_manager", adminUserToSwitch.getUid());
277 std::string privManagerAppId = privManager.getAppId();
278 privManager.addPrivilege(SELF_PRIVILEGE);
279 privManager.addPrivilege(ADMIN_PRIVILEGE);
280 expectedPolicyCount += privManager.getPrivileges().size();
282 userAppIdToAIH.emplace(std::make_pair(adminUserToSwitch.getUid(), privManager.getAppId()),
283 std::move(privManager));
285 std::vector<ScopedInstaller> scopedInstallations;
286 for (const auto &userAppIdAIH : userAppIdToAIH) {
287 scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
291 RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
292 if (pid != 0) { //parent process
294 } else { //child process
295 Api::setProcessLabel(privManagerAppId);
296 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
297 adminUserToSwitch.getGid()) == 0,
298 "drop_root_privileges failed");
300 std::vector<PolicyEntry> policyEntries;
301 Api::getPolicy(PolicyEntry(), policyEntries);
302 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
303 RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
304 "Number of policies doesn't match - should be: " << expectedPolicyCount
305 << " and is " << policyEntries.size());
307 for (const auto &policyEntry : policyEntries) {
308 // Expect policy for all users to be returned
309 if (oldPolicySet.count(policyEntry))
311 std::string user = policyEntry.getUser();
312 std::string app = policyEntry.getAppId();
313 std::string privilege = policyEntry.getPrivilege();
315 auto uidStringIt = std::find(uidStrings.begin(), uidStrings.end(), user);
316 RUNNER_ASSERT_MSG(uidStringIt != uidStrings.end(), "Unexpected user: " << user);
318 auto userAppIdToAIHIt = userAppIdToAIH.find(
319 std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
320 RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
321 "Unknown app " << app << " for user " << user);
323 AppInstallHelper &aih = userAppIdToAIHIt->second;
324 auto privs = aih.getPrivileges();
326 auto appPrivileges = aih.getPrivilegesNames();
327 auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
328 RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
329 "Unexpected privilege " << privilege << " for app " << app);
335 RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
337 std::string normalName = "sm_test_13_user_name_normal";
338 std::string adminName = "sm_test_13_user_name_admin";
339 const std::vector<UserInfo> userInfos = {{normalName,GUM_USERTYPE_NORMAL},
340 {adminName, GUM_USERTYPE_ADMIN}};
342 std::map<std::string, TemporaryTestUser> usernameToTTU;
343 std::map<uid_t, std::vector<AppInstallHelper>> uidToAIHs;
344 unsigned expectedPolicyCount = 0;
345 std::string privManagerAppId;
347 for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
348 //Only entries for one of the users will be listed
349 TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
352 for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
353 AppInstallHelper app("sm_test_13_" + std::to_string(p_i), user.getUid());
354 // Shift privileges, so same app_id for different user doesn't have same privileges
355 app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
356 expectedPolicyCount += app.getPrivileges().size();
357 uidToAIHs[user.getUid()].emplace_back(std::move(app));
359 AppInstallHelper privManager("sm_test_13_priv_manager", user.getUid());
360 privManagerAppId = privManager.getAppId();
361 privManager.addPrivilege(SELF_PRIVILEGE);
362 expectedPolicyCount += privManager.getPrivileges().size();
363 uidToAIHs[user.getUid()].emplace_back(std::move(privManager));
365 usernameToTTU.emplace(user.getUserName(), std::move(user));
368 std::vector<ScopedInstaller> scopedInstallations;
369 for (const auto &userAIHs : uidToAIHs) {
370 for (const auto &aih : userAIHs.second)
371 scopedInstallations.emplace_back(ScopedInstaller(aih));
374 TemporaryTestUser &adminUser = usernameToTTU.at(adminName);
375 TemporaryTestUser &normalUser = usernameToTTU.at(normalName);
378 RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
379 if (pid == 0) { //child #1 process
380 Api::setProcessLabel(privManagerAppId);
381 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0,
382 "drop_root_privileges failed");
383 auto &app1 = uidToAIHs[normalUser.getUid()][0];
384 auto &app2 = uidToAIHs[normalUser.getUid()][0];
385 PolicyRequest policyRequest;
386 PolicyEntry policyEntry(
388 normalUser.getUidString(),
389 app1.getPrivileges()[0]
391 policyEntry.setLevel("Deny");
393 policyRequest.addEntry(policyEntry);
394 policyEntry = PolicyEntry(
396 normalUser.getUidString(),
397 app1.getPrivileges()[1]
399 policyEntry.setLevel("Deny");
400 policyRequest.addEntry(policyEntry);
401 Api::sendPolicy(policyRequest);
407 RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
408 if (pid == 0) { //child #2 process
409 Api::setProcessLabel(privManagerAppId);
410 // Admin user, but in context of app, which doesn't have usermanagement privilege
411 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
412 "drop_root_privileges failed");
414 PolicyEntry filter = PolicyEntry(
415 SECURITY_MANAGER_ANY,
416 normalUser.getUidString(),
419 std::vector<PolicyEntry> policyEntries;
420 //U2 requests contents of U1 privacy manager - should fail
421 Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
422 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
423 << policyEntries.size() << " entries");
425 filter = PolicyEntry(
426 SECURITY_MANAGER_ANY,
427 SECURITY_MANAGER_ANY,
431 policyEntries.clear();
433 //U2 requests contents of ADMIN bucket - should fail
434 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
435 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
436 << policyEntries.size() << " entries");
444 RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
446 TemporaryTestUser adminUserToSwitch("sm_test_14_user_name_admin", GUM_USERTYPE_ADMIN);
447 adminUserToSwitch.create();
449 AppInstallHelper privManager("sm_test_14_priv_manager", adminUserToSwitch.getUid());
450 privManager.addPrivilege(ADMIN_PRIVILEGE);
452 ScopedInstaller privManagerInstall(privManager);
457 } else { //child process
458 Api::setProcessLabel(privManager.getAppId());
459 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
460 adminUserToSwitch.getGid()) == 0,
461 "drop_root_privileges failed");
463 PolicyRequest setPolicyRequest;
464 std::vector<PolicyEntry> policyEntries;
466 const std::string internetPriv = "http://tizen.org/privilege/internet";
467 const std::string displayPriv = "http://tizen.org/privilege/display";
469 PolicyEntry internetPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, internetPriv);
470 internetPolicyEntry.setMaxLevel("Deny");
471 setPolicyRequest.addEntry(internetPolicyEntry);
473 PolicyEntry displayPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, displayPriv);
474 displayPolicyEntry.setMaxLevel("Deny");
475 setPolicyRequest.addEntry(displayPolicyEntry);
477 Api::sendPolicy(setPolicyRequest);
479 Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
480 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2"
481 " and is " << policyEntries.size());
483 PolicyRequest delPolicyRequest;
485 internetPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
486 delPolicyRequest.addEntry(internetPolicyEntry);
488 displayPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
489 delPolicyRequest.addEntry(displayPolicyEntry);
491 Api::sendPolicy(delPolicyRequest);
493 policyEntries.clear();
494 Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
495 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0"
496 " and is " << policyEntries.size());
501 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
503 const std::string updatePriv = "http://tizen.org/privilege/led";
505 TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
508 AppInstallHelper updatedApp("security_manager_15_update");
509 ScopedInstaller updatedAppInstall(updatedApp);
511 AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
512 privManager.addPrivilege(ADMIN_PRIVILEGE);
513 ScopedInstaller privManagerInstall(privManager);
516 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
517 if (pid != 0) { //parent process
519 CynaraTestAdmin::Admin admin;
520 admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(),
521 adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
524 Api::setProcessLabel(privManager.getAppId());
526 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
527 "drop_root_privileges failed");
529 PolicyEntry entry(updatedApp.getAppId(), adminUser.getUidString(), updatePriv);
530 entry.setMaxLevel("Allow");
531 PolicyRequest addPolicyRequest;
532 addPolicyRequest.addEntry(entry);
533 Api::sendPolicy(addPolicyRequest);
538 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
540 const std::string updatePriv = "http://tizen.org/privilege/led";
542 TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
545 AppInstallHelper app("security_manager_15");
546 ScopedInstaller appInstall(app);
548 AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
549 privManager.addPrivilege(ADMIN_PRIVILEGE);
550 ScopedInstaller privManagerInstall(privManager);
553 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
556 CynaraTestAdmin::Admin admin;
557 admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(),
558 adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
561 Api::setProcessLabel(privManager.getAppId());
562 RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
563 "drop_root_privileges failed");
565 PolicyEntry entry(SECURITY_MANAGER_ANY, adminUser.getUidString(), updatePriv);
566 entry.setMaxLevel("Allow");
568 PolicyRequest addPolicyRequest;
569 addPolicyRequest.addEntry(entry);
570 Api::sendPolicy(addPolicyRequest);
575 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
577 const std::string updatePriv = "http://tizen.org/privilege/led";
579 TemporaryTestUser user("sm_test_15_username", GUM_USERTYPE_NORMAL);
582 AppInstallHelper app("security_manager_15");
583 ScopedInstaller appInstall(app);
585 AppInstallHelper privManager("security_manager_15_priv_manager", user.getUid());
586 privManager.addPrivilege(SELF_PRIVILEGE);
587 ScopedInstaller privManagerInstall(privManager);
590 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
593 CynaraTestAdmin::Admin admin;
594 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
595 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
597 Api::setProcessLabel(privManager.getAppId());
598 RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
599 "drop_root_privileges failed");
601 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
602 entry.setLevel("Allow");
604 PolicyRequest addPolicyRequest;
605 addPolicyRequest.addEntry(entry);
606 Api::sendPolicy(addPolicyRequest);
611 RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
613 TemporaryTestUser user("sm_test_16_user_name", GUM_USERTYPE_NORMAL);
617 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
621 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
622 "drop_root_privileges failed");
626 int ret = security_manager_policy_levels_get(&levels, &count);
627 RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
628 "Invlid return code: " << ret);
629 std::unique_ptr<char *, std::function<void(char**)>> descriptionsPtr(levels,
630 [count](char **levels) { security_manager_policy_levels_free(levels, count);});
632 RUNNER_ASSERT_MSG(count >= 2, "Invalid number of policy levels. Should be 3,"
633 " instead there is: " << count);
635 std::string denyPolicy = std::string(levels[0]);
636 std::string allowPolicy = std::string(levels[count-1]);
638 // first should always be Deny
639 RUNNER_ASSERT_MSG(denyPolicy.compare("Deny") == 0,
640 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
642 // last should always be Allow
643 RUNNER_ASSERT_MSG(allowPolicy.compare("Allow") == 0,
644 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
649 RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self)
651 const std::string updatePriv = "http://tizen.org/privilege/led";
653 TemporaryTestUser user("sm_test_17a_username", GUM_USERTYPE_NORMAL);
656 AppInstallHelper app("security_manager_17a");
657 ScopedInstaller appInstall(app);
659 SynchronizationPipe synchPipe;
661 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
663 synchPipe.claimParentEp();
666 CynaraTestAdmin::Admin admin;
667 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
668 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
672 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
673 updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
676 synchPipe.claimChildEp();
677 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
678 "drop_root_privileges failed");
680 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
681 entry.setLevel("Allow");
682 PolicyRequest addPolicyRequest;
683 addPolicyRequest.addEntry(entry);
684 Api::sendPolicy(addPolicyRequest);
688 PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
689 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
690 PolicyRequest deletePolicyRequest;
691 deletePolicyRequest.addEntry(deleteEntry);
692 Api::sendPolicy(deletePolicyRequest);
699 RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self)
701 const std::string updatePriv = "http://tizen.org/privilege/led";
703 TemporaryTestUser user("sm_test_17b_username", GUM_USERTYPE_NORMAL);
706 AppInstallHelper app("security_manager_17b");
707 ScopedInstaller appInstall(app);
709 AppInstallHelper privManager("security_manager_17b_priv_manager", user.getUid());
710 privManager.addPrivilege(SELF_PRIVILEGE);
711 ScopedInstaller privManagerInstall(privManager);
713 SynchronizationPipe synchPipe;
715 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
717 synchPipe.claimParentEp();
719 CynaraTestAdmin::Admin admin;
720 admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
721 updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
725 admin.adminCheck("", false, app.generateAppLabel().c_str(),
726 user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
730 synchPipe.claimChildEp();
731 Api::setProcessLabel(privManager.getAppId());
732 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
733 "drop_root_privileges failed");
735 PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
736 entry.setLevel("Allow");
737 PolicyRequest addPolicyRequest;
738 addPolicyRequest.addEntry(entry);
739 Api::sendPolicy(addPolicyRequest);
743 PolicyRequest deletePolicyRequest;
744 PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
745 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
746 deletePolicyRequest.addEntry(deleteEntry);
747 Api::sendPolicy(deletePolicyRequest);
753 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
755 const std::string username("sm_test_17_user_name");
756 std::vector<AppInstallHelper> appHelpers;
757 std::vector<ScopedInstaller> scopedInstallations;
758 std::map<std::string, unsigned> privToCount;
759 unsigned policyCount = 0;
761 TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
764 for (unsigned int i = 0; i < TEST_PRIVILEGES.size(); i++) {
765 AppInstallHelper app("sm_test_17_" + std::to_string(i), user.getUid());
766 app.addPrivileges(TEST_PRIVILEGES[i]);
767 policyCount += app.getPrivileges().size();
769 appHelpers.emplace_back(std::move(app));
770 for (auto &priv: TEST_PRIVILEGES[i]) {
775 AppInstallHelper privManager("sm_test_17_priv_manager", user.getUid());
776 std::string privManagerAppId = privManager.getAppId();
777 privManager.addPrivilege(SELF_PRIVILEGE);
778 privToCount[SELF_PRIVILEGE]++;
779 policyCount += privManager.getPrivileges().size();
781 appHelpers.emplace_back(std::move(privManager));
782 for (const auto &app : appHelpers)
783 scopedInstallations.emplace_back(std::move(ScopedInstaller(app)));
786 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
787 if (pid != 0)//parent process
791 Api::setProcessLabel(privManagerAppId);
792 RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
793 "drop_root_privileges failed");
795 for (const auto &privCount : privToCount) {
796 std::vector<PolicyEntry> policyEntries;
797 PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, privCount.first);
798 Api::getPolicy(filter, policyEntries);
799 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
800 RUNNER_ASSERT_MSG(policyEntries.size() == privCount.second,
801 "Number of policies doesn't match - should be: " << privCount.second
802 << " and is " << policyEntries.size());
805 for (const auto &app : appHelpers) {
806 std::vector<PolicyEntry> policyEntries;
807 PolicyEntry filter(app.getAppId(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
808 Api::getPolicy(filter, policyEntries);
809 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
810 RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
811 "Number of policies doesn't match - should be: " << app.getPrivileges().size()
812 << " and is " << policyEntries.size());
815 std::vector<PolicyEntry> policyEntries;
816 PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
817 Api::getPolicy(filter, policyEntries);
818 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
819 RUNNER_ASSERT_MSG(policyEntries.size() == policyCount,
820 "Number of policies doesn't match - should be: " << policyCount
821 << " and is " << policyEntries.size());
827 RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove)
829 const std::string askUserDescription = "Ask user";
830 TemporaryTestUser user("sm_test_18_username", GUM_USERTYPE_NORMAL);
833 AppInstallHelper app("sm_test_18", user.getUid());
834 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
836 PolicyEntry filter (app.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
837 std::vector<PolicyEntry> policyEntries;
839 ScopedInstaller installer(app);
840 unsigned int privacyNum = countPrivacyPrivileges(app.getPrivileges());
842 Api::getPolicy(filter, policyEntries);
844 RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
845 "Number of policy entries doesn't match; should be " << app.getPrivileges().size()
846 << " but is " << policyEntries.size());
848 if (PolicyConfiguration::getIsAskuserEnabled() ) {
849 unsigned int privacyActNum = 0;
850 for (auto &entry : policyEntries)
851 if (isPrivilegePrivacy(entry.getPrivilege())) {
852 RUNNER_ASSERT_MSG(entry.getCurrentLevel() == askUserDescription,
853 "Invalid policy setup; policy should be \"Ask user\" but is "
854 << entry.getCurrentLevel());
857 RUNNER_ASSERT_MSG(privacyActNum == privacyNum,
858 "Should be " << privacyNum << " privacy privileges,"
859 "but is " << privacyActNum);
863 policyEntries.clear();
864 Api::getPolicy(filter, policyEntries);
865 RUNNER_ASSERT_MSG(policyEntries.size() == 0,
866 "After deinstallation, policy entries size should be 0,"
867 "but is: " << policyEntries.size());
870 void test_privacy_related_privileges(bool isHybrid) {
871 const std::string askUserDescription = "Ask user";
872 TemporaryTestUser user("sm_test_19_username", GUM_USERTYPE_NORMAL);
875 const std::string pkgId = "sm_test_19_pkg_id";
877 AppInstallHelper app1("sm_test_19_app_id_1", pkgId, user.getUid());
880 app1.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
881 ScopedInstaller installer1(app1);
883 AppInstallHelper app2("sm_test_19_app_id_2", pkgId, user.getUid());
886 app2.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
887 ScopedInstaller installer2(app2);
889 int privacyCount1, privacyCount2;
890 if (!PolicyConfiguration::getIsAskuserEnabled()) {
893 } else if (isHybrid) {
894 privacyCount1 = countPrivacyPrivileges(app1.getPrivileges());
895 privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
897 privacyCount1 = privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
900 std::vector<PolicyEntry> policyEntries;
901 PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
902 Api::getPolicy(filter, policyEntries);
904 int privacyAct1 = 0, privacyAct2 = 0;
905 for (auto &entry : policyEntries) {
906 RUNNER_ASSERT_MSG(entry.getAppId() == app1.getAppId() || entry.getAppId() == app2.getAppId(),
907 "Invalid appId: should be either " << app1.getAppId() << " or "
908 << app2.getAppId() << " but is " << entry.getAppId());
909 if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(entry.getPrivilege())) {
910 RUNNER_ASSERT_MSG(entry.getCurrentLevel() == askUserDescription,
911 "Invalid policy setup; policy should be \"Ask user\" but is "
912 << entry.getCurrentLevel());
913 if (entry.getAppId() == app1.getAppId())
919 RUNNER_ASSERT_MSG(privacyCount1 == privacyAct1, "Should be " << privacyCount1
920 << " privacy privileges, but is " << privacyAct1);
921 RUNNER_ASSERT_MSG(privacyCount2 == privacyAct2, "Should be " << privacyCount2
922 << " privacy privileges, but is " << privacyAct2);
925 RUNNER_CHILD_TEST(security_manager_19a_privacy_manager_privacy_related_privileges_policy_hybrid)
927 test_privacy_related_privileges(true);
930 RUNNER_CHILD_TEST(security_manager_19b_privacy_manager_privacy_related_privileges_policy_no_hybrid)
932 test_privacy_related_privileges(false);
935 RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privileges_policy_admin_check)
937 const std::string askUserDescription = "Ask user";
938 TemporaryTestUser user("sm_test_20_username", GUM_USERTYPE_NORMAL);
941 AppInstallHelper app("sm_test_20", user.getUid());
942 app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
944 ScopedInstaller installer(app);
946 CynaraTestAdmin::Admin admin;
947 int policyType = CYNARA_ADMIN_ALLOW;
948 int privacyPolicyType = -1;
949 if (PolicyConfiguration::getIsAskuserEnabled())
950 admin.getPolicyTypeForDescription(askUserDescription, privacyPolicyType);
952 for (auto &priv : app.getPrivileges()) {
953 if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(priv)) {
954 admin.adminCheck("", true, app.generateAppLabel().c_str(),
955 user.getUidString().c_str(), priv, privacyPolicyType,
958 admin.adminCheck("", true, app.generateAppLabel().c_str(),
959 user.getUidString().c_str(), priv, policyType, nullptr);