src/security-manager-tests/test_cases_smack_privileges.cpp

   1 /*
   2  * Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  *    Licensed under the Apache License, Version 2.0 (the "License");
   5  *    you may not use this file except in compliance with the License.
   6  *    You may obtain a copy of the License at
   7  *
   8  *        http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *    Unless required by applicable law or agreed to in writing, software
  11  *    distributed under the License is distributed on an "AS IS" BASIS,
  12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *    See the License for the specific language governing permissions and
  14  *    limitations under the License.
  15  */
  16
  17 #include <memory>
  18 #include <map>
  19 #include <cassert>
  20
  21 #include <boost/filesystem.hpp>
  22
  23 #include <tzplatform_config.h>
  24
  25 #include <dpl/test/test_runner.h>
  26 #include <dpl/test/test_runner_child.h>
  27
  28 #include <scoped_installer.h>
  29 #include <scoped_app_launcher.h>
  30 #include <temp_test_user.h>
  31 #include <app_install_helper_ext.h>
  32 #include <sm_policy_request.h>
  33 #include <privilege_names.h>
  34 #include <sm_commons.h>
  35 #include <service_manager.h>
  36
  37 using namespace SecurityManagerTest;
  38 using namespace PrivilegeNames;
  39
  40 namespace {
  41
  42 namespace fs = boost::filesystem;
  43
  44 const uid_t OWNER_ID = tzplatform_getuid(TZ_SYS_DEFAULT_USER);
  45
  46 const fs::path TEST_SETUP_PATH = SM_TEST_DIR "/smack-privileges";
  47 const fs::path BACKUP_SETUP_PATH = TEST_SETUP_PATH / "backup";
  48
  49 constexpr char SM_POLICY_PATH[] = "/usr/share/security-manager/policy";
  50 constexpr char SM_SMACK_PRIV_MAPPING_SUBDIR[] = "/privilege-mapping";
  51 constexpr char SM_SMACK_PRIV_CONFIG[] = "privilege-smack.list";
  52
  53 void changePolicy(const AppInstallHelper& app, const std::string& priv, const std::string &level) {
  54     PolicyRequest policyRequest;
  55     PolicyEntry entry(app.getAppId(), std::to_string(app.getUID()), priv);
  56     entry.setLevel(level);
  57     policyRequest.addEntry(entry);
  58     Api::sendPolicy(policyRequest);
  59 }
  60
  61 const std::vector<AccessRequest> INTERNET_RULES = {
  62     {"~PROCESS~", "System::Privilege::Internet", "w"},
  63     {"System::Privilege::Internet", "~PROCESS~", "w"}
  64 };
  65 const std::vector<AccessRequest> CAMERA_RULES = {
  66     {"~PROCESS~", "System::Privilege::Camera", "w"},
  67     {"System::Privilege::Camera", "~PROCESS~", "w"}
  68 };
  69 const std::vector<AccessRequest> CAMERA_IGNORED_RULES = {
  70     {"~PROCESS~", "System::TEF", "r"}
  71 };
  72
  73 enum class SmackPrivSetup {
  74     ORIGINAL,
  75     EMPTY,
  76     INTERNET_ONLY,
  77     MULTIPLE_PRIVS,
  78     MALFORMED
  79 };
  80
  81 // This is to ensure that original security-manager policy is restored after the group is finished
  82 class SmackPrivGroupEnv final : public DPL::Test::TestGroup {
  83 private:
  84     class SmackPrivSetupMgr final {
  85     public:
  86         SmackPrivSetupMgr() :
  87             m_currentSetup(SmackPrivSetup::ORIGINAL),
  88             m_serviceManager("security-manager.service"),
  89             m_setupMap({{ SmackPrivSetup::EMPTY, "empty" },
  90                         { SmackPrivSetup::INTERNET_ONLY, "internet-only" },
  91                         { SmackPrivSetup::MULTIPLE_PRIVS, "multiple-privs" },
  92                         { SmackPrivSetup::MALFORMED, "malformed" }})
  93         {
  94         }
  95         SmackPrivSetupMgr(const SmackPrivSetupMgr&) = delete;
  96         SmackPrivSetupMgr& operator=(const SmackPrivSetupMgr&) = delete;
  97         ~SmackPrivSetupMgr()
  98         {
  99             // restore setup
 100             if (m_currentSetup != SmackPrivSetup::ORIGINAL) {
 101                 try {
 102                     copySetup(BACKUP_SETUP_PATH, SM_POLICY_PATH);
 103
 104                     m_serviceManager.restartService();
 105                 } catch (...) {
 106                     RUNNER_ERROR_MSG("Unknown exception occurred during backup restore.");
 107                 }
 108             }
 109         }
 110
 111         void install(SmackPrivSetup setup)
 112         {
 113             if (setup == m_currentSetup)
 114                 return;
 115
 116             // backup setup
 117             if (m_currentSetup == SmackPrivSetup::ORIGINAL)
 118                 copySetup(SM_POLICY_PATH, BACKUP_SETUP_PATH);
 119
 120             copySetup(TEST_SETUP_PATH / m_setupMap.at(setup), SM_POLICY_PATH);
 121             m_currentSetup = setup;
 122
 123             // restart SM
 124             m_serviceManager.restartService();
 125         }
 126
 127     private:
 128         void copySetup(const boost::filesystem::path& src, const boost::filesystem::path& dst)
 129         {
 130             const auto srcConfig = src / SM_SMACK_PRIV_CONFIG;
 131             const auto dstConfig = dst / SM_SMACK_PRIV_CONFIG;
 132             const auto srcMappingSubdir = src / SM_SMACK_PRIV_MAPPING_SUBDIR;
 133             const auto dstMappingSubdir = dst / SM_SMACK_PRIV_MAPPING_SUBDIR;
 134
 135             // remove dst
 136             fs::remove(dstConfig);
 137             fs::remove_all(dstMappingSubdir);
 138
 139             // copy
 140             if (fs::exists(srcConfig))
 141                 fs::copy_file(srcConfig, dstConfig);
 142
 143             if (fs::exists(srcMappingSubdir)) {
 144                 fs::create_directory(dstMappingSubdir);
 145                 for (const auto& e: fs::recursive_directory_iterator(srcMappingSubdir))
 146                     fs::copy(e.path(), dstMappingSubdir / fs::relative(e.path(), srcMappingSubdir));
 147             }
 148         }
 149
 150         SmackPrivSetup m_currentSetup;
 151         ServiceManager m_serviceManager;
 152         const std::map<SmackPrivSetup, std::string> m_setupMap;
 153     };
 154
 155     static SmackPrivSetupMgr* m_setupMgr;
 156
 157 public:
 158     void Init() override {
 159         assert(!m_setupMgr);
 160
 161         m_setupMgr = new SmackPrivSetupMgr();
 162     }
 163
 164     static void Install(SmackPrivSetup setup)
 165     {
 166         assert(m_setupMgr);
 167
 168         m_setupMgr->install(setup);
 169     }
 170
 171     void Finish() override {
 172         assert(m_setupMgr);
 173
 174         delete(m_setupMgr);
 175         m_setupMgr = nullptr;
 176     }
 177 };
 178
 179 SmackPrivGroupEnv::SmackPrivSetupMgr* SmackPrivGroupEnv::m_setupMgr = nullptr;
 180
 181 template<SmackPrivSetup T>
 182 class TestSetup
 183 {
 184 public:
 185     void init(const std::string &) {
 186         SmackPrivGroupEnv::Install(T);
 187     }
 188     void finish() {}
 189 };
 190
 191 typedef TestSetup<SmackPrivSetup::EMPTY> EmptySetup;
 192 typedef TestSetup<SmackPrivSetup::INTERNET_ONLY> InternetOnlySetup;
 193 typedef TestSetup<SmackPrivSetup::MULTIPLE_PRIVS> MultiplePrivsSetup;
 194 typedef TestSetup<SmackPrivSetup::MALFORMED> MalformedSetup;
 195
 196 } // namespace anonymous
 197
 198 RUNNER_TEST_GROUP_INIT_ENV(SECURITY_MANAGER_SMACK_PRIVILEGES, SmackPrivGroupEnv)
 199
 200 RUNNER_CHILD_TEST(smack_privileges_10_no_privileges, InternetOnlySetup)
 201 {
 202     AppInstallHelperExt app("sm_test_sp_10_app");
 203     {
 204         ScopedInstaller appInstall(app);
 205         app.checkAfterInstall();
 206         app.checkDeniedPrivileges({PRIV_INTERNET});
 207         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 208         app.checkSmackAccesses(CAMERA_RULES, false);
 209         {
 210             ScopedAppLauncher appLaunch(app);
 211             app.checkSmackPrivileges({}, {PRIV_INTERNET});
 212             app.checkSmackAccesses(CAMERA_RULES, false);
 213         }
 214     }
 215     app.checkAfterUninstall();
 216 }
 217
 218 RUNNER_CHILD_TEST(smack_privileges_20_internet_privilege, InternetOnlySetup)
 219 {
 220     AppInstallHelperExt app("sm_test_sp_20_app");
 221     app.addPrivileges({PRIV_INTERNET, PRIV_CAMERA});
 222     {
 223         ScopedInstaller appInstall(app);
 224         app.checkAfterInstall();
 225
 226         // rules absent before app is launched
 227         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 228         app.checkSmackAccesses(CAMERA_RULES, false);
 229         {
 230             ScopedAppLauncher appLaunch(app);
 231             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 232             app.checkSmackAccesses(CAMERA_RULES, false);
 233         }
 234         // rules present after app is terminated
 235         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 236     }
 237     app.checkAfterUninstall();
 238     // rules removed after app uninstallation
 239     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 240 }
 241
 242 RUNNER_CHILD_TEST(smack_privileges_30_one_after_another, InternetOnlySetup)
 243 {
 244     AppInstallHelperExt app("sm_test_sp_30_app");
 245     app.addPrivileges({PRIV_INTERNET});
 246     {
 247         ScopedInstaller appInstall(app);
 248         app.checkAfterInstall();
 249
 250         // rules absent before app is launched
 251         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 252         {
 253             ScopedAppLauncher appLaunch(app);
 254             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 255         }
 256         // rules present after app is terminated
 257         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 258
 259         {
 260             ScopedAppLauncher appLaunch(app);
 261             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 262         }
 263         // rules present after app is terminated
 264         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 265     }
 266     app.checkAfterUninstall();
 267     // rules removed after app uninstallation
 268     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 269 }
 270
 271 RUNNER_CHILD_TEST(smack_privileges_40_different_users_one_after_another, InternetOnlySetup)
 272 {
 273     TemporaryTestUser testUser("sm_test_40_user_name", GUM_USERTYPE_NORMAL, true);
 274     testUser.create();
 275
 276     AppInstallHelperExt app("sm_test_sp_40_app");
 277     app.addPrivileges({PRIV_INTERNET});
 278     {
 279         // global install
 280         ScopedInstaller appInstall(app);
 281         app.checkAfterInstall();
 282
 283         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 284
 285         // owner launch
 286         {
 287             app.setUidGid(OWNER_ID);
 288             ScopedAppLauncher appLaunch(app);
 289             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 290         }
 291
 292         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 293
 294         // test user launch
 295         {
 296             app.setUidGid(testUser.getUid());
 297             ScopedAppLauncher appLaunch(app);
 298             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 299         }
 300
 301         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 302     }
 303     app.checkAfterUninstall();
 304     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 305 }
 306
 307 RUNNER_CHILD_TEST(smack_privileges_50_same_user_simultaneously, InternetOnlySetup)
 308 {
 309     AppInstallHelperExt app("sm_test_sp_50_app", OWNER_ID);
 310     app.addPrivileges({PRIV_INTERNET});
 311     {
 312         ScopedInstaller appInstall(app);
 313         app.checkAfterInstall();
 314
 315         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 316         {
 317             ScopedAppLauncher appLaunch1(app);
 318             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 319             {
 320                 ScopedAppLauncher appLaunch2(app);
 321                 app.checkSmackPrivileges({PRIV_INTERNET}, {});
 322             }
 323             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 324         }
 325         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 326     }
 327     app.checkAfterUninstall();
 328     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 329 }
 330
 331 RUNNER_CHILD_TEST(smack_privileges_60_same_user_interchangeably, InternetOnlySetup)
 332 {
 333     AppInstallHelperExt app("sm_test_sp_60_app", OWNER_ID);
 334     app.addPrivileges({PRIV_INTERNET});
 335     {
 336         // local install
 337         ScopedInstaller appInstall(app);
 338         app.checkAfterInstall();
 339
 340         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 341
 342         // owner launch 1
 343         auto appLaunch1 = std::make_unique<ScopedAppLauncher>(app);
 344
 345         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 346
 347         // owner launch 2
 348         auto appLaunch2 = std::make_unique<ScopedAppLauncher>(app);
 349
 350         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 351
 352         // owner terminate 1
 353         appLaunch1.reset();
 354
 355         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 356
 357         // owner terminate 2
 358         appLaunch2.reset();
 359     }
 360     app.checkAfterUninstall();
 361     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 362 }
 363
 364 RUNNER_CHILD_TEST(smack_privileges_70_different_users_simultaneously, InternetOnlySetup)
 365 {
 366     TemporaryTestUser testUser("sm_test_70_user_name", GUM_USERTYPE_NORMAL, true);
 367     testUser.create();
 368
 369     AppInstallHelperExt app("sm_test_sp_70_app");
 370     app.addPrivileges({PRIV_INTERNET});
 371     {
 372         // global install
 373         ScopedInstaller appInstall(app);
 374         app.checkAfterInstall();
 375
 376         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 377
 378         // owner launch
 379         {
 380             app.setUidGid(OWNER_ID);
 381             ScopedAppLauncher appLaunch(app);
 382             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 383
 384             // test user launch
 385             {
 386                 app.setUidGid(testUser.getUid());
 387                 ScopedAppLauncher appLaunch(app);
 388
 389                 // multiuser detected -> rules removed
 390                 app.checkSmackPrivileges({}, {PRIV_INTERNET});
 391             }
 392             app.checkSmackPrivileges({}, {PRIV_INTERNET});
 393         }
 394         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 395
 396         // owner launch
 397         {
 398             app.setUidGid(OWNER_ID);
 399             ScopedAppLauncher appLaunch(app);
 400
 401             // rules restored
 402             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 403         }
 404     }
 405     app.checkAfterUninstall();
 406     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 407 }
 408
 409 RUNNER_CHILD_TEST(smack_privileges_80_uninstall_local_while_running, InternetOnlySetup)
 410 {
 411     AppInstallHelperExt app("sm_test_sp_80_app");
 412     app.addPrivileges({PRIV_INTERNET});
 413     {
 414         // global install
 415         ScopedInstaller appInstall1(app);
 416         app.checkAfterInstall();
 417
 418         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 419
 420         // local install
 421         AppInstallHelperExt app2("sm_test_sp_80_app", OWNER_ID);
 422         auto appInstall2 = std::make_unique<ScopedInstaller>(app2);
 423         app2.checkAfterInstall();
 424
 425         // global launch
 426         ScopedAppLauncher appLaunch(app);
 427         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 428
 429         // local uninstall
 430         appInstall2.reset();
 431
 432         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 433     }
 434     app.checkAfterUninstall();
 435     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 436 }
 437
 438 RUNNER_CHILD_TEST(smack_privileges_90_user_removal, InternetOnlySetup)
 439 {
 440     TemporaryTestUser testUser("sm_test_90_user_name", GUM_USERTYPE_NORMAL, true);
 441     testUser.create();
 442
 443     AppInstallHelperExt app("sm_test_sp_90_app", testUser.getUid());
 444     app.addPrivileges({PRIV_INTERNET});
 445     {
 446         // local install
 447         ScopedInstaller appInstall(app);
 448         app.checkAfterInstall();
 449
 450         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 451
 452         // local launch
 453         {
 454             ScopedAppLauncher appLaunch(app);
 455             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 456         }
 457
 458         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 459
 460         // user removal
 461         testUser.remove();
 462
 463         app.checkAfterUninstall();
 464         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 465     }
 466 }
 467
 468 RUNNER_CHILD_TEST(smack_privileges_100_hybrid_app, InternetOnlySetup)
 469 {
 470     AppInstallHelperExt app("sm_test_sp_100_app");
 471     app.addPrivileges({PRIV_INTERNET});
 472     app.setHybrid();
 473     {
 474         ScopedInstaller appInstall(app);
 475         app.checkAfterInstall();
 476
 477         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 478
 479         // launch
 480         {
 481             ScopedAppLauncher appLaunch(app);
 482             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 483         }
 484
 485         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 486     }
 487     app.checkAfterUninstall();
 488     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 489 }
 490
 491 RUNNER_CHILD_TEST(smack_privileges_110_hybridity_change, InternetOnlySetup)
 492 {
 493     AppInstallHelperExt app("sm_test_sp_110_app");
 494     app.addPrivileges({PRIV_INTERNET});
 495     {
 496         ScopedInstaller appInstall(app);
 497         app.checkAfterInstall();
 498
 499         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 500
 501         // launch
 502         {
 503             ScopedAppLauncher appLaunch(app);
 504             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 505         }
 506
 507         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 508
 509         app.setHybrid();
 510
 511         // make it hybrid
 512         InstallRequest request;
 513         request.setAppId(app.getAppId());
 514         request.setPkgId(app.getPkgId());
 515         request.setUid(app.getUID());
 516         request.setHybrid();
 517         for (const auto &priv: app.getPrivileges()) {
 518             request.addPrivilege(priv);
 519         }
 520         Api::update(request);
 521
 522         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 523
 524         // launch
 525         {
 526             ScopedAppLauncher appLaunch(app);
 527             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 528         }
 529
 530         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 531     }
 532     app.checkAfterUninstall();
 533     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 534 }
 535
 536 RUNNER_CHILD_TEST(smack_privileges_120_policy_change_while_running, InternetOnlySetup)
 537 {
 538     TemporaryTestUser testUser("sm_test_120_user_name", GUM_USERTYPE_NORMAL, true);
 539     testUser.create();
 540
 541     AppInstallHelperExt app("sm_test_sp_120_app", testUser.getUid());
 542     app.addPrivileges({PRIV_INTERNET});
 543     {
 544         ScopedInstaller appInstall(app);
 545         app.checkAfterInstall();
 546
 547         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 548
 549         // launch
 550         {
 551             ScopedAppLauncher appLaunch(app);
 552             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 553
 554             // change policy
 555             changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
 556
 557             app.checkSmackPrivileges({}, {PRIV_INTERNET});
 558
 559             // change policy
 560             changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
 561
 562             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 563         }
 564         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 565     }
 566     app.checkAfterUninstall();
 567     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 568 }
 569
 570 RUNNER_CHILD_TEST(smack_privileges_130_different_users_and_policies, InternetOnlySetup)
 571 {
 572     TemporaryTestUser testUser("sm_test_130_user_name", GUM_USERTYPE_NORMAL, true);
 573     testUser.create();
 574
 575     AppInstallHelperExt app("sm_test_sp_130_app");
 576     app.addPrivileges({PRIV_INTERNET});
 577     {
 578         // global install
 579         ScopedInstaller appInstall(app);
 580         app.checkAfterInstall();
 581
 582         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 583
 584         // test user launch with denied policy
 585         {
 586             app.setUidGid(testUser.getUid());
 587             changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
 588             ScopedAppLauncher appLaunch(app);
 589             app.checkSmackPrivileges({}, {PRIV_INTERNET});
 590         }
 591
 592         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 593
 594         // owner launch
 595         {
 596             app.setUidGid(OWNER_ID);
 597             ScopedAppLauncher appLaunch(app);
 598             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 599         }
 600
 601         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 602     }
 603     app.checkAfterUninstall();
 604     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 605 }
 606
 607 RUNNER_CHILD_TEST(smack_privileges_140_two_users_sequence, InternetOnlySetup)
 608 {
 609     TemporaryTestUser testUser("sm_test_140_user_name", GUM_USERTYPE_NORMAL, true);
 610     testUser.create();
 611
 612     AppInstallHelperExt app("sm_test_sp_140_app");
 613     app.addPrivileges({PRIV_INTERNET});
 614     {
 615         // global install
 616         ScopedInstaller appInstall(app);
 617         app.checkAfterInstall();
 618         app.checkSmackPrivileges({}, {PRIV_INTERNET});
 619         {
 620             // owner launch -> allowed
 621             app.setUidGid(OWNER_ID);
 622             ScopedAppLauncher appLaunch1(app);
 623             app.checkSmackPrivileges({PRIV_INTERNET}, {});
 624             {
 625                 // test user launch -> denied
 626                 app.setUidGid(testUser.getUid());
 627                 ScopedAppLauncher appLaunch2(app);
 628                 app.checkSmackPrivileges({}, {PRIV_INTERNET});
 629
 630                 // owner launch -> denied
 631                 app.setUidGid(OWNER_ID);
 632                 ScopedAppLauncher appLaunch3(app);
 633                 app.checkSmackPrivileges({}, {PRIV_INTERNET});
 634             }
 635             // test user launch -> still denied
 636             app.setUidGid(testUser.getUid());
 637             ScopedAppLauncher appLaunch4(app);
 638             app.checkSmackPrivileges({}, {PRIV_INTERNET});
 639         }
 640
 641         // test user launch -> allowed
 642         app.setUidGid(testUser.getUid());
 643         ScopedAppLauncher appLaunch5(app);
 644         app.checkSmackPrivileges({PRIV_INTERNET}, {});
 645     }
 646     app.checkAfterUninstall();
 647     app.checkSmackPrivileges({}, {PRIV_INTERNET});
 648 }
 649
 650 RUNNER_CHILD_TEST(smack_privileges_150_independent_apps, InternetOnlySetup)
 651 {
 652     TemporaryTestUser testUser("sm_test_150_user_name", GUM_USERTYPE_NORMAL, true);
 653     testUser.create();
 654
 655     AppInstallHelperExt app1("sm_test_sp_150_app1", testUser.getUid());
 656     AppInstallHelperExt app2("sm_test_sp_150_app2", testUser.getUid());
 657     app1.addPrivileges({PRIV_INTERNET});
 658     {
 659         ScopedInstaller appInstall1(app1);
 660         ScopedInstaller appInstall2(app2);
 661
 662         app1.checkAfterInstall();
 663         app2.checkAfterInstall();
 664
 665         app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 666         app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 667
 668         // launch
 669         {
 670             ScopedAppLauncher appLaunch1(app1);
 671             ScopedAppLauncher appLaunch2(app2);
 672
 673             app1.checkSmackPrivileges({PRIV_INTERNET}, {});
 674             app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 675         }
 676     }
 677     app1.checkAfterUninstall();
 678     app2.checkAfterUninstall();
 679     app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 680     app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 681 }
 682
 683 RUNNER_CHILD_TEST(smack_privileges_160_nonhybrid_package, InternetOnlySetup)
 684 {
 685     TemporaryTestUser testUser("sm_test_160_user_name", GUM_USERTYPE_NORMAL, true);
 686     testUser.create();
 687
 688     constexpr char pkgPrefix[] = "sm_test_sp_160_pkg";
 689
 690     AppInstallHelperExt app1("sm_test_sp_160_app1", pkgPrefix, testUser.getUid());
 691     app1.addPrivileges({PRIV_INTERNET});
 692
 693     AppInstallHelperExt app2("sm_test_sp_160_app2", pkgPrefix, testUser.getUid());
 694     app2.addPrivileges({PRIV_INTERNET});
 695     {
 696         ScopedInstaller appInstall1(app1);
 697         ScopedInstaller appInstall2(app2);
 698
 699         app1.checkAfterInstall();
 700         app2.checkAfterInstall();
 701
 702         app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 703         app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 704
 705         // launch
 706         {
 707             ScopedAppLauncher appLaunch1(app1);
 708             ScopedAppLauncher appLaunch2(app2);
 709
 710             // both have access in non-hybrid package
 711             app1.checkSmackPrivileges({PRIV_INTERNET}, {});
 712             app2.checkSmackPrivileges({PRIV_INTERNET}, {});
 713
 714             // change policy of single app
 715             changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
 716
 717             // both should lose the access
 718             app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 719             app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 720
 721             changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
 722
 723             app1.checkSmackPrivileges({PRIV_INTERNET}, {});
 724             app2.checkSmackPrivileges({PRIV_INTERNET}, {});
 725         }
 726     }
 727     app1.checkAfterUninstall();
 728     app2.checkAfterUninstall();
 729     app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 730     app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 731 }
 732
 733
 734 RUNNER_CHILD_TEST(smack_privileges_170_hybrid_package, InternetOnlySetup)
 735 {
 736     TemporaryTestUser testUser("sm_test_170_user_name", GUM_USERTYPE_NORMAL, true);
 737     testUser.create();
 738
 739     constexpr char pkgPrefix[] = "sm_test_sp_170_pkg";
 740
 741     AppInstallHelperExt app1("sm_test_sp_170_app1", pkgPrefix, testUser.getUid());
 742     app1.addPrivileges({PRIV_INTERNET});
 743     app1.setHybrid();
 744
 745     AppInstallHelperExt app2("sm_test_sp_170_app2", pkgPrefix, testUser.getUid());
 746     app2.setHybrid();
 747     {
 748         ScopedInstaller appInstall1(app1);
 749         ScopedInstaller appInstall2(app2);
 750
 751         app1.checkAfterInstall();
 752         app2.checkAfterInstall();
 753
 754         app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 755         app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 756
 757         // launch
 758         {
 759             ScopedAppLauncher appLaunch1(app1);
 760             ScopedAppLauncher appLaunch2(app2);
 761
 762             // only one have access in a hybrid package
 763             app1.checkSmackPrivileges({PRIV_INTERNET}, {});
 764             app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 765
 766             // change policy of single app
 767             changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
 768
 769             // both should have no access
 770             app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 771             app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 772
 773             changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
 774
 775             app1.checkSmackPrivileges({PRIV_INTERNET}, {});
 776             app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 777         }
 778     }
 779     app1.checkAfterUninstall();
 780     app2.checkAfterUninstall();
 781     app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 782     app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 783 }
 784
 785 RUNNER_CHILD_TEST(smack_privileges_180_hybrid_package_both_apps_privileged, InternetOnlySetup)
 786 {
 787     TemporaryTestUser testUser("sm_test_180_user_name", GUM_USERTYPE_NORMAL, true);
 788     testUser.create();
 789
 790     constexpr char pkgPrefix[] = "sm_test_sp_180_pkg";
 791
 792     AppInstallHelperExt app1("sm_test_sp_180_app1", pkgPrefix, testUser.getUid());
 793     app1.addPrivileges({PRIV_INTERNET});
 794     app1.setHybrid();
 795
 796     AppInstallHelperExt app2("sm_test_sp_180_app2", pkgPrefix, testUser.getUid());
 797     app2.addPrivileges({PRIV_INTERNET});
 798     app2.setHybrid();
 799     {
 800         ScopedInstaller appInstall1(app1);
 801         ScopedInstaller appInstall2(app2);
 802
 803         app1.checkAfterInstall();
 804         app2.checkAfterInstall();
 805
 806         app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 807         app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 808
 809         // launch
 810         {
 811             ScopedAppLauncher appLaunch1(app1);
 812             ScopedAppLauncher appLaunch2(app2);
 813
 814             // only one have access in a hybrid package
 815             app1.checkSmackPrivileges({PRIV_INTERNET}, {});
 816             app2.checkSmackPrivileges({PRIV_INTERNET}, {});
 817
 818             // change policy of single app
 819             changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
 820
 821             // both should have no access
 822             app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 823             app2.checkSmackPrivileges({PRIV_INTERNET}, {});
 824
 825             changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
 826
 827             app1.checkSmackPrivileges({PRIV_INTERNET}, {});
 828             app2.checkSmackPrivileges({PRIV_INTERNET}, {});
 829         }
 830     }
 831     app1.checkAfterUninstall();
 832     app2.checkAfterUninstall();
 833     app1.checkSmackPrivileges({}, {PRIV_INTERNET});
 834     app2.checkSmackPrivileges({}, {PRIV_INTERNET});
 835 }
 836
 837 RUNNER_CHILD_TEST(smack_privileges_200_empty_policy, EmptySetup)
 838 {
 839     AppInstallHelperExt app("sm_test_sp_200_app");
 840     app.addPrivileges({PRIV_INTERNET, PRIV_CAMERA});
 841     {
 842         ScopedInstaller appInstall(app);
 843
 844         app.checkAfterInstall();
 845
 846         app.checkSmackAccesses(INTERNET_RULES, false);
 847         app.checkSmackAccesses(CAMERA_RULES, false);
 848         {
 849             ScopedAppLauncher appLaunch(app);
 850
 851             // no config -> no access
 852             app.checkSmackAccesses(INTERNET_RULES, false);
 853             app.checkSmackAccesses(CAMERA_RULES, false);
 854         }
 855     }
 856     app.checkAfterUninstall();
 857     app.checkSmackAccesses(INTERNET_RULES, false);
 858     app.checkSmackAccesses(CAMERA_RULES, false);
 859 }
 860
 861 RUNNER_CHILD_TEST(smack_privileges_300_multi_policy_no_privs, MultiplePrivsSetup)
 862 {
 863     AppInstallHelperExt app("sm_test_sp_300_app");
 864     {
 865         ScopedInstaller appInstall(app);
 866
 867         app.checkAfterInstall();
 868         app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA});
 869         app.checkSmackAccesses(CAMERA_IGNORED_RULES, false);
 870         {
 871             ScopedAppLauncher appLaunch(app);
 872
 873             app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA});
 874             app.checkSmackAccesses(CAMERA_IGNORED_RULES, false);
 875         }
 876     }
 877     app.checkAfterUninstall();
 878     app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA});
 879 }
 880
 881 RUNNER_CHILD_TEST(smack_privileges_310_multi_policy_single_priv, MultiplePrivsSetup)
 882 {
 883     AppInstallHelperExt app("sm_test_sp_310_app");
 884     app.addPrivilege(PRIV_CAMERA);
 885     {
 886         ScopedInstaller appInstall(app);
 887
 888         app.checkAfterInstall();
 889         app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA});
 890         app.checkSmackAccesses(CAMERA_IGNORED_RULES, false);
 891         {
 892             ScopedAppLauncher appLaunch(app);
 893
 894             app.checkSmackPrivileges({PRIV_CAMERA}, {PRIV_INTERNET});
 895             app.checkSmackAccesses(CAMERA_IGNORED_RULES, false);
 896         }
 897     }
 898     app.checkAfterUninstall();
 899     app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA});
 900 }
 901
 902 RUNNER_CHILD_TEST(smack_privileges_320_multi_policy_all_privs, MultiplePrivsSetup)
 903 {
 904     TemporaryTestUser testUser("sm_test_320_user_name", GUM_USERTYPE_NORMAL, true);
 905     testUser.create();
 906
 907     AppInstallHelperExt app("sm_test_sp_320_app", testUser.getUid());
 908     app.addPrivileges({PRIV_CAMERA, PRIV_INTERNET});
 909     {
 910         ScopedInstaller appInstall(app);
 911
 912         app.checkAfterInstall();
 913         app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA});
 914         app.checkSmackAccesses(CAMERA_IGNORED_RULES, false);
 915         {
 916             ScopedAppLauncher appLaunch(app);
 917
 918             app.checkSmackPrivileges({PRIV_CAMERA, PRIV_INTERNET}, {});
 919             app.checkSmackAccesses(CAMERA_IGNORED_RULES, false);
 920
 921             // change policy
 922             changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
 923
 924             app.checkSmackPrivileges({PRIV_CAMERA}, {PRIV_INTERNET});
 925             app.checkSmackAccesses(CAMERA_IGNORED_RULES, false);
 926
 927             // change policy
 928             changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
 929             changePolicy(app, PRIV_CAMERA, PolicyEntry::LEVEL_DENY);
 930
 931             app.checkSmackPrivileges({PRIV_INTERNET}, {PRIV_CAMERA});
 932             app.checkSmackAccesses(CAMERA_IGNORED_RULES, false);
 933         }
 934     }
 935     app.checkAfterUninstall();
 936     app.checkSmackPrivileges({}, {PRIV_INTERNET, PRIV_CAMERA});
 937 }
 938
 939 RUNNER_CHILD_TEST(smack_privileges_400_malformed, MalformedSetup)
 940 {
 941     AppInstallHelperExt app("sm_test_sp_400_app");
 942     app.addPrivileges({PRIV_INTERNET, PRIV_CAMERA});
 943     {
 944         ScopedInstaller appInstall(app);
 945
 946         app.checkAfterInstall();
 947
 948         app.checkSmackAccesses(INTERNET_RULES, false);
 949         app.checkSmackAccesses(CAMERA_RULES, false);
 950         {
 951             ScopedAppLauncher appLaunch(app);
 952
 953             // malformed config -> no access
 954             app.checkSmackAccesses(INTERNET_RULES, false);
 955             app.checkSmackAccesses(CAMERA_RULES, false);
 956         }
 957     }
 958     app.checkAfterUninstall();
 959     app.checkSmackAccesses(INTERNET_RULES, false);
 960     app.checkSmackAccesses(CAMERA_RULES, false);
 961 }