SM : Adjust tests for new shared RO support
[platform/core/test/security-tests.git] / src / security-manager-tests / test_cases_public_sharing.cpp
1 /*
2  * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
3  *
4  *    Licensed under the Apache License, Version 2.0 (the "License");
5  *    you may not use this file except in compliance with the License.
6  *    You may obtain a copy of the License at
7  *
8  *        http://www.apache.org/licenses/LICENSE-2.0
9  *
10  *    Unless required by applicable law or agreed to in writing, software
11  *    distributed under the License is distributed on an "AS IS" BASIS,
12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  *    See the License for the specific language governing permissions and
14  *    limitations under the License.
15  */
16 #include <cstdint>
17 #include <unordered_map>
18 #include <string>
19 #include <sys/smack.h>
20 #include <sys/types.h>
21 #include <unistd.h>
22
23 #include <dpl/test/test_runner.h>
24 #include <sm_commons.h>
25 #include <tests_common.h>
26 #include <scoped_installer.h>
27 #include <scoped_path_remover.h>
28
29 using namespace SecurityManagerTest;
30
31 namespace {
32 const int ACCESS_SUCCESS = 0;
33 const int ACCESS_ERROR = -1;
34
35 const std::vector<std::pair<std::string, std::string>> versionCombinations {
36     std::make_pair("2.4", "2.4"),
37     std::make_pair("2.4", "3.0"),
38     std::make_pair("3.0", "3.0"),
39     std::make_pair("3.0", "2.4")
40 };
41
42 const std::unordered_map<int, const char* const> accessTypeToString {
43     std::make_pair(0, "F_OK"),
44     std::make_pair(1, "X_OK"),
45     std::make_pair(2, "W_OK"),
46     std::make_pair(3, "W_OK|X_OK"),
47     std::make_pair(4, "R_OK"),
48     std::make_pair(5, "R_OK|X_OK"),
49     std::make_pair(6, "R_OK|W_OK"),
50     std::make_pair(7, "R_OK|W_OK|X_OK")
51 };
52
53 void changeSecurityContext(const std::string &label, uid_t uid, gid_t gid)
54 {
55     RUNNER_ASSERT_ERRNO_MSG(0 == smack_set_label_for_self(label.c_str()),
56         "Error in smack_set_label_for_self(" << label << ")");
57
58     RUNNER_ASSERT_ERRNO_MSG(0 == setgid(gid), "Error in setgid.");
59     RUNNER_ASSERT_ERRNO_MSG(0 == setuid(uid), "Error in setuid.");
60 }
61
62 AppInstallHelper prepAIH(const std::string &appName,
63                          const std::string &pkgName,
64                          std::string version,
65                          bool isSharedRO)
66 {
67     bool appIsLocal = true;
68     AppInstallHelper appInstallHelper(appName, pkgName, version, appIsLocal);
69
70     appInstallHelper.createInstallDir();
71
72     if (isSharedRO)
73         appInstallHelper.createSharedRODir();
74
75     return appInstallHelper;
76 }
77
78 void runAccessTest(const AppInstallHelper &appFrom, const std::string &testPath,
79                    const int accessType, const int accessResult) {
80     auto fun = [&](){
81         changeSecurityContext(appFrom.generateAppLabel(), appFrom.getUID(), appFrom.getGID());
82         RUNNER_ASSERT_ERRNO_MSG(::access(testPath.c_str(), accessType) == accessResult,
83                                 "access from app " << appFrom.getAppId() << " to path " << testPath
84                                 << " (" << accessTypeToString.at(accessType)  << "): ");
85     };
86
87     runInChildParentWait(fun);
88 }
89
90 } //anonymous namespace
91
92 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SHARED_RO)
93
94 /**
95  * Test 76 : Check whether owner app
96  * have access to own sharedRO dir
97  */
98 RUNNER_CHILD_TEST(security_manager_76_owner_shared_ro_have_rw_access_to_own_shared_ro_dir)
99 {
100     std::string sharedROAppName = "sm_test_76_app1_sharedRO";
101     std::string sharedROPkgName = "sm_test_76_pkg1_sharedRO";
102     auto run_test = [&](std::string ver) {
103         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver, true));
104         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
105
106         runAccessTest(sharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_SUCCESS);
107     };
108
109     run_test("2.4");
110     run_test("3.0");
111 }
112
113 /**
114  * Test 77 : Check whether app from non_sharedRO pkg
115  * have access to sharedRO dir of an application
116  */
117 RUNNER_CHILD_TEST(security_manager_77_no_shared_ro_have_ro_access_to_shared_ro)
118 {
119     std::string sharedROAppName = "sm_test_77_app1_sharedRO";
120     std::string sharedROPkgName = "sm_test_77_pkg1_sharedRO";
121     std::string nonSharedROAppName = "sm_test_77_app2";
122     std::string nonSharedROPkgName = "sm_test_77_pkg2";
123
124     auto run_test = [&](std::string ver1, std::string ver2) {
125         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
126         ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver2, false));
127         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
128
129         runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
130         runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
131     };
132
133     for (const auto &version : versionCombinations) {
134         run_test(version.first, version.second);
135     }
136 }
137
138 /**
139  * Test 78 : Check whether app from another sharedRO pkg
140  * have access to sharedRO dir of an application
141  */
142 RUNNER_CHILD_TEST(security_manager_78_another_pkg_shared_ro_have_ro_access_to_shared_ro)
143 {
144     std::string sharedROAppName = "sm_test_78_app1_sharedRO";
145     std::string sharedROPkgName = "sm_test_78_pkg1_sharedRO";
146     std::string sharedROAppName2 = "sm_test_78_app2_sharedRO";
147     std::string sharedROPkgName2 = "sm_test_78_pkg2_sharedRO";
148
149     auto run_test = [&](std::string ver1, std::string ver2) {
150         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
151         ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName2, ver2, true));
152         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(),
153                                       sharedROPkgApp2.getAIH().getSharedRODir()});
154
155         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
156         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
157     };
158
159     for (const auto &version : versionCombinations)
160         run_test(version.first, version.second);
161 }
162
163 /**
164  * Test 79 : Install two sharedRO apps in one package
165  * and check access to sharedRO dir
166  */
167 RUNNER_CHILD_TEST(security_manager_79_same_pkg_shared_ro_have_ro_access_to_shared_ro)
168 {
169     std::string sharedROAppName = "sm_test_79_app1_sharedRO";
170     std::string sharedROPkgName = "sm_test_79_pkg1_sharedRO";
171     std::string sharedROAppName2 = "sm_test_79_app2_sharedRO";
172
173     auto run_test = [&](std::string ver1, std::string ver2) {
174         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
175         ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName, ver2, true));
176         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
177
178         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
179         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_SUCCESS);
180     };
181
182     for (const auto &version : versionCombinations)
183         run_test(version.first, version.second);
184 }
185
186 /**
187  * Test 80 : Check whether application from non-sharedRO pkg
188  * have proper access to RO dir of an sharedRO application.
189  */
190 RUNNER_CHILD_TEST(security_manager_80_no_shared_ro_have_no_access_to_shared_ro_app_ro_dir)
191 {
192     std::string sharedROAppName = "sm_test_80_app1_sharedRO";
193     std::string sharedROPkgName = "sm_test_80_pkg1_sharedRO";
194     std::string nonSharedROAppName = "sm_test_80_app2";
195     std::string nonSharedROPkgName = "sm_test_80_pkg2";
196
197     auto run_test = [&](std::string ver1, std::string ver2) {
198         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
199         ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver2, false));
200         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
201
202         runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|X_OK, ACCESS_ERROR);
203         runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|W_OK, ACCESS_ERROR);
204     };
205
206     for (const auto &version : versionCombinations)
207         run_test(version.first, version.second);
208 }
209
210 /**
211  * Test 81 : Check whether sharedRO application from another pkg
212  * have proper access to RO dir of other sharedRO app.
213  */
214 RUNNER_CHILD_TEST(security_manager_81_another_pkg_shared_ro_have_no_access_to_shared_ro_app_ro_dir)
215 {
216     std::string sharedROAppName = "sm_test_81_app1_sharedRO";
217     std::string sharedROPkgName = "sm_test_81_pkg1_sharedRO";
218     std::string sharedROAppName2 = "sm_test_81_app2_sharedRO";
219     std::string sharedROPkgName2 = "sm_test_81_pkg2_sharedRO";
220
221     auto run_test = [&](std::string ver1, std::string ver2) {
222         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
223         ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName2, ver2, true));
224         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(),
225                                       sharedROPkgApp2.getAIH().getSharedRODir()});
226
227         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|X_OK, ACCESS_ERROR);
228         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|W_OK, ACCESS_ERROR);
229     };
230
231     for (const auto &version : versionCombinations)
232         run_test(version.first, version.second);
233 }
234
235 /**
236  * Test 82 : Check whether sharedRO application from same pkg
237  * have proper access to RO dir of other sharedRO app.
238  */
239 RUNNER_CHILD_TEST(security_manager_82_same_pkg_shared_ro_have_no_access_to_shared_ro_app_ro_dir)
240 {
241     std::string sharedROAppName = "sm_test_82_app1_sharedRO";
242     std::string sharedROPkgName = "sm_test_82_pkg1_sharedRO";
243     std::string sharedROAppName2 = "sm_test_82_app2_sharedRO";
244
245     auto run_test = [&](std::string ver1, std::string ver2) {
246         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
247         ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName, ver2, true));
248         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
249
250         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|X_OK, ACCESS_ERROR);
251         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|W_OK, ACCESS_ERROR);
252     };
253
254     for (const auto &version : versionCombinations)
255         run_test(version.first, version.second);
256 }
257
258 /**
259  * Test 83 : Try to add valid sharedRO dir to an app
260  * and check all possible accesses to to it.
261  */
262 RUNNER_CHILD_TEST(security_manager_83_add_path_to_app_and_check_all)
263 {
264     std::string sharedROAppName = "sm_test_83_app1_sharedRO";
265     std::string sharedROPkgName = "sm_test_83_pkg1_sharedRO";
266     std::string nonSharedROAppName = "sm_test_83_app2";
267     std::string nonSharedROPkgName = "sm_test_83_pkg2";
268     std::string nonSharedROAppName2 = "sm_test_83_app3_will_be_sharedRO";
269     std::string nonSharedROPkgName2 = "sm_test_83_pkg3_will_be_sharedRO";
270
271     auto run_test = [&](std::string ver1, std::string ver2) {
272         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
273         ScopedInstaller anotherNonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver1, false));
274         ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName2, nonSharedROPkgName2, ver2, false));
275         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(),
276                                       anotherNonSharedROPkgApp.getAIH().getSharedRODir(),
277                                       nonSharedROPkgApp.getAIH().getSharedRODir()});
278
279         nonSharedROPkgApp.getAIH().createSharedRODir();
280
281         PathsRequest sharedRORequest;
282         sharedRORequest.setPkgId(nonSharedROPkgApp.getAIH().getPkgId());
283         sharedRORequest.addPath(nonSharedROPkgApp.getAIH().getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
284         sharedRORequest.setUid(nonSharedROPkgApp.getAIH().getUID());
285         Api::registerPaths(sharedRORequest);
286
287         runAccessTest(nonSharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_SUCCESS);
288
289         runAccessTest(sharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
290         runAccessTest(sharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
291
292         runAccessTest(anotherNonSharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
293         runAccessTest(anotherNonSharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
294     };
295
296     for (const auto &version : versionCombinations)
297         run_test(version.first, version.second);
298 }
299
300 /**
301  * Test 84 : Try to add path which does not belong
302  * to an app and check if operation succeeds.
303  */
304 RUNNER_CHILD_TEST(security_manager_84_add_invalid_path_to_app_and_check_all)
305 {
306     std::string sharedROAppName = "sm_test_84_app1_sharedRO";
307     std::string sharedROPkgName = "sm_test_84_pkg1_sharedRO";
308     std::string nonSharedROAppName = "sm_test_84_app2";
309     std::string nonSharedROPkgName = "sm_test_84_pkg2";
310     std::string nonSharedROAppName2 = "sm_test_84_app3_wont_be_sharedRO";
311     std::string nonSharedROPkgName2 = "sm_test_84_pkg3_wont_be_sharedRO";
312
313     auto run_test = [&](std::string ver1, std::string ver2) {
314         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
315         ScopedInstaller anotherNonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver1, false));
316         ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName2, nonSharedROPkgName2, ver2 ,false));
317         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(), anotherNonSharedROPkgApp.getAIH().getSharedRODir()});
318
319         PathsRequest sharedRORequest;
320         sharedRORequest.setPkgId(nonSharedROPkgApp.getAIH().getPkgId());
321         sharedRORequest.addPath(sharedROPkgApp.getAIH().getPrivateRODir(), SECURITY_MANAGER_PATH_RO);
322         sharedRORequest.setUid(nonSharedROPkgApp.getAIH().getUID());
323         Api::registerPaths(sharedRORequest, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
324     };
325
326     for (const auto &version : versionCombinations)
327         run_test(version.first, version.second);
328 }
329
330 /**
331  * Test 85 : Install and uninstall app and check accesses to
332  * uninstalled paths from other packages.
333  */
334 RUNNER_CHILD_TEST(security_manager_85_install_uninstall_shared_ro_app_and_check_cleaning)
335 {
336     std::string sharedROAppName = "sm_test_85_app1_sharedRO";
337     std::string sharedROPkgName = "sm_test_85_pkg1_sharedRO";
338     std::string sharedROAppName2 = "sm_test_85_app2_sharedRO";
339     std::string sharedROPkgName2 = "sm_test_85_pkg2_sharedRO";
340     std::string nonSharedROAppName = "sm_test_85_app3";
341     std::string nonSharedROPkgName = "sm_test_85_pkg3";
342
343     auto run_test = [&](std::string ver1, std::string ver2) {
344         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
345         ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName2, ver2, true));
346         ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver2, false));
347         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(), sharedROPkgApp2.getAIH().getSharedRODir()});
348
349         sharedROPkgApp.uninstallApp();
350
351         runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_ERROR);
352         runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
353
354         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_ERROR);
355         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
356
357         /**
358          * After Deinstallation of an app, sharedRO dir
359          * still exists, but only owner app have an access (sharedRO rules are revoked)
360          */
361
362         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), F_OK, ACCESS_SUCCESS);
363     };
364
365     for (const auto &version : versionCombinations)
366         run_test(version.first, version.second);
367 }
368
369 /**
370  * Test 86 : Install multiple SharedRO apps,
371  * uninstall one of them and check accesses to sharedRO path
372  * within one package.
373  */
374 RUNNER_CHILD_TEST(security_manager_86_install_uninstall_shared_ro_two_apps_in_one_pkg)
375 {
376     std::string sharedROAppName = "sm_test_86_app1_sharedRO";
377     std::string sharedROPkgName = "sm_test_86_pkg1_sharedRO";
378     std::string sharedROAppName2 = "sm_test_86_app2_sharedRO";
379     std::string nonSharedROAppName = "sm_test_86_app3";
380
381     auto run_test = [&](std::string ver1, std::string ver2) {
382         ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, false));
383         ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName, ver2, true));
384         ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName, sharedROPkgName, ver2, false));
385         ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
386
387         sharedROPkgApp.uninstallApp();
388
389         runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp2.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
390         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp2.getAIH().getSharedRODir(), F_OK, ACCESS_SUCCESS);
391         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp2.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
392         runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp2.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_SUCCESS);
393     };
394
395     for (const auto &version : versionCombinations)
396         run_test(version.first, version.second);
397 }