1 #include <dpl/test/test_runner.h>
6 #include <unordered_set>
7 #include <sys/capability.h>
9 #include <sys/socket.h>
11 #include <attr/xattr.h>
12 #include <linux/xattr.h>
17 #include <libprivilege-control_test_common.h>
18 #include <tests_common.h>
20 #include <tzplatform_config.h>
21 #include <security-manager.h>
24 #include <sm_request.h>
25 #include <sm_user_request.h>
26 #include <temp_test_user.h>
27 #include <cynara_test_client.h>
28 #include <service_manager.h>
30 using namespace SecurityManagerTest;
32 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
33 DEFINE_SMARTPTR(tzplatform_context_destroy, tzplatform_context, TzPlatformContextPtr);
35 static const privileges_t SM_ALLOWED_PRIVILEGES = {
36 "http://tizen.org/privilege/location",
37 "http://tizen.org/privilege/camera"
40 static const privileges_t SM_DENIED_PRIVILEGES = {
41 "http://tizen.org/privilege/bluetooth",
42 "http://tizen.org/privilege/power"
45 static const privileges_t SM_NO_PRIVILEGES = {
48 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
50 static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
51 static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
52 static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
53 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
54 static const std::string EXEC_FILE("exec");
55 static const std::string NORMAL_FILE("normal");
56 static const std::string LINK_PREFIX("link_to_");
58 static void generateAppLabel(const std::string &pkgId, std::string &label)
64 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
65 const char* correctLabel, bool transmute_test, bool exec_test)
69 char* label = nullptr;
72 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
73 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
74 labelPtr.reset(label);
75 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
76 result = strcmp(correctLabel, label);
77 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
78 " (should be '" << correctLabel << "' and is '" << label << "')");
82 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
83 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
84 labelPtr.reset(label);
86 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
87 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
88 result = strcmp(correctLabel, label);
89 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
91 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
95 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
96 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
97 labelPtr.reset(label);
99 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
100 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
101 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
102 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
104 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
111 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
112 int /*typeflag*/, struct FTW* /*ftwbuf*/)
114 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
117 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
118 int /*typeflag*/, struct FTW* /*ftwbuf*/)
121 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
124 static void prepare_app_path()
128 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
129 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
131 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
132 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
134 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
135 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
138 static void prepare_app_env()
143 /* TODO: add parameters to this function */
144 static void check_app_path_after_install()
148 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
149 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
151 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
152 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
154 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
155 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
159 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
160 const privileges_t &allowed_privs, const privileges_t &denied_privs)
163 std::string smackLabel;
164 generateAppLabel(pkg_id, smackLabel);
166 CynaraTestClient::Client ctc;
168 for (auto &priv : allowed_privs) {
169 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
172 for (auto &priv : denied_privs) {
173 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
177 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
180 gid_t main_gid = getgid();
181 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
183 // Reset supplementary groups
184 ret = setgroups(0, NULL);
185 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
187 Api::setProcessGroups(app_id);
189 ret = getgroups(0, nullptr);
190 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
192 std::vector<gid_t> actual_gids(ret);
193 ret = getgroups(ret, actual_gids.data());
194 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
196 for (const auto &gid : actual_gids) {
197 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
198 "Application shouldn't get access to group " << gid);
199 reference_gids.erase(gid);
202 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
205 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
206 const privileges_t &allowed_privs,
207 const privileges_t &denied_privs,
208 const std::vector<std::string> &allowed_groups)
210 TestSecurityManagerDatabase dbtest;
211 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
212 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
214 /*Privileges should be granted to all users if root installs app*/
215 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
217 /* Setup mapping of gids to privileges */
218 /* Do this for each privilege for extra check */
219 for (const auto &privilege : allowed_privs) {
220 dbtest.setup_privilege_groups(privilege, allowed_groups);
223 std::vector<gid_t> allowed_gids;
225 for (const auto &groupName : allowed_groups) {
227 struct group* grp = getgrnam(groupName.c_str());
228 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
229 allowed_gids.push_back(grp->gr_gid);
232 check_app_gids(app_id, allowed_gids);
235 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
237 TestSecurityManagerDatabase dbtest;
238 dbtest.test_db_after__app_install(app_id, pkg_id);
241 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
242 const privileges_t &privileges, const bool is_pkg_removed)
244 TestSecurityManagerDatabase dbtest;
245 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
248 /*Privileges should not be granted anymore to any user*/
249 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
252 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
253 const bool is_pkg_removed)
255 TestSecurityManagerDatabase dbtest;
256 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
259 static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0)
261 InstallRequest request;
262 request.setAppId(app_id);
263 request.setPkgId(pkg_id);
265 Api::install(request);
267 check_app_after_install(app_id, pkg_id);
271 static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
273 InstallRequest request;
274 request.setAppId(app_id);
276 Api::uninstall(request);
278 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
282 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
285 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
287 const char *const sm_app_id = "sm_test_01a_app_id_double";
288 const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
290 InstallRequest requestInst;
291 requestInst.setAppId(sm_app_id);
292 requestInst.setPkgId(sm_pkg_id);
294 Api::install(requestInst);
295 Api::install(requestInst);
297 /* Check records in the security-manager database */
298 check_app_after_install(sm_app_id, sm_pkg_id);
300 InstallRequest requestUninst;
301 requestUninst.setAppId(sm_app_id);
303 Api::uninstall(requestUninst);
304 Api::uninstall(requestUninst);
306 /* Check records in the security-manager database */
307 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
311 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
313 const char *const sm_app_id = "sm_test_01b_app";
314 const char *const sm_pkg_id = "sm_test_01b_pkg";
315 const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
317 InstallRequest requestInst;
318 requestInst.setAppId(sm_app_id);
319 requestInst.setPkgId(sm_pkg_id);
321 Api::install(requestInst);
323 InstallRequest requestInst2;
324 requestInst2.setAppId(sm_app_id);
325 requestInst2.setPkgId(sm_pkg_id_wrong);
327 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
330 /* Check records in the security-manager database */
331 check_app_after_install(sm_app_id, sm_pkg_id);
333 InstallRequest requestUninst;
334 requestUninst.setAppId(sm_app_id);
336 Api::uninstall(requestUninst);
339 /* Check records in the security-manager database */
340 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
344 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
346 const char * const sm_app_id = "SM_TEST_01c_APPID";
347 const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
348 const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
350 InstallRequest requestInst;
351 requestInst.setAppId(sm_app_id);
352 requestInst.setPkgId(sm_pkg_id);
354 Api::install(requestInst);
356 /* Check records in the security-manager database */
357 check_app_after_install(sm_app_id, sm_pkg_id);
359 InstallRequest requestUninst;
360 requestUninst.setAppId(sm_app_id);
361 requestUninst.setPkgId(sm_pkg_id_wrong);
363 Api::uninstall(requestUninst);
365 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
369 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
371 const char *const sm_app_id = "sm_test_02_app_id_full";
372 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
376 InstallRequest requestInst;
377 requestInst.setAppId(sm_app_id);
378 requestInst.setPkgId(sm_pkg_id);
379 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
380 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
381 requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE);
382 requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
384 Api::install(requestInst);
386 /* Check records in the security-manager database */
387 check_app_after_install(sm_app_id, sm_pkg_id,
388 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
390 /* TODO: add parameters to this function */
391 check_app_path_after_install();
393 InstallRequest requestUninst;
394 requestUninst.setAppId(sm_app_id);
396 Api::uninstall(requestUninst);
398 /* Check records in the security-manager database,
399 * all previously allowed privileges should be removed */
400 check_app_after_uninstall(sm_app_id, sm_pkg_id,
401 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
404 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
406 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
407 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
408 const char *const expected_label = USER_APP_ID;
409 const char *const socketLabel = "not_expected_label";
410 char *label = nullptr;
414 uninstall_app(app_id, pkg_id, true);
415 install_app(app_id, pkg_id);
417 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
418 //Clean up before creating socket
420 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
421 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
422 SockUniquePtr sockPtr(&sock);
423 //Bind socket to address
424 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
425 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
426 //Set socket label to something different than expecedLabel
427 result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
428 strlen(socketLabel), 0);
429 RUNNER_ASSERT_ERRNO_MSG(result == 0,
430 "Can't set socket label. Result: " << result);
431 result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
432 strlen(socketLabel), 0);
433 RUNNER_ASSERT_ERRNO_MSG(result == 0,
434 "Can't set socket label. Result: " << result);
436 Api::setProcessLabel(app_id);
438 char value[SMACK_LABEL_LEN + 1];
440 size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
441 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
442 result = strcmp(expected_label, value);
443 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
444 expected_label << " Actual: " << value);
446 size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
447 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
448 result = strcmp(expected_label, value);
449 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
450 expected_label << " Actual: " << value);
452 result = smack_new_label_from_self(&label);
453 RUNNER_ASSERT_MSG(result >= 0,
454 " Error getting current process label");
455 RUNNER_ASSERT_MSG(label != nullptr,
456 " Process label is not set");
457 labelPtr.reset(label);
459 result = strcmp(expected_label, label);
460 RUNNER_ASSERT_MSG(result == 0,
461 " Process label is incorrect. Expected: \"" << expected_label <<
462 "\" Actual: \"" << label << "\"");
464 uninstall_app(app_id, pkg_id, true);
467 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
469 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
470 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
472 uninstall_app(app_id, pkg_id, true);
473 install_app(app_id, pkg_id);
475 Api::setProcessLabel(app_id);
477 uninstall_app(app_id, pkg_id, true);
480 static void prepare_request(InstallRequest &request,
481 const char *const app_id,
482 const char *const pkg_id,
483 app_install_path_type pathType,
484 const char *const path,
487 request.setAppId(app_id);
488 request.setPkgId(pkg_id);
489 request.addPath(path, pathType);
495 static uid_t getGlobalUserId(void)
497 return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
500 static const std::string appDirPath(const TemporaryTestUser &user)
502 struct tzplatform_context *tzCtxPtr = nullptr;
504 RUNNER_ASSERT(0 == tzplatform_context_create(&tzCtxPtr));
505 TzPlatformContextPtr tzCtxPtrSmart(tzCtxPtr);
507 RUNNER_ASSERT_MSG(0 == tzplatform_context_set_user(tzCtxPtr, user.getUid()),
508 "Unable to set user <" << user.getUserName() << "> for tzplatform context");
510 const char *appDir = tzplatform_context_getenv(tzCtxPtr,
511 getGlobalUserId() == user.getUid() ? TZ_SYS_RW_APP : TZ_USER_APP);
512 RUNNER_ASSERT_MSG(nullptr != appDir,
513 "tzplatform_context_getenv failed"
514 << "for getting sys rw app of user <" << user.getUserName() << ">");
519 static const std::string nonAppDirPath(const TemporaryTestUser &user)
521 return TMP_DIR + "/" + user.getUserName();
524 static const std::string uidToStr(const uid_t uid)
526 return std::to_string(static_cast<unsigned int>(uid));
529 static void install_and_check(const char *const sm_app_id,
530 const char *const sm_pkg_id,
531 const TemporaryTestUser& user,
532 const std::string &appDir,
535 InstallRequest requestPublic;
537 //install app for non-root user and try to register public path (should fail)
538 prepare_request(requestPublic, sm_app_id, sm_pkg_id,
539 SECURITY_MANAGER_PATH_PUBLIC, appDir.c_str(),
540 requestUid ? user.getUid() : 0);
542 Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
544 InstallRequest requestPrivate;
546 //install app for non-root user
547 //should fail (users may only register folders inside their home)
548 prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
549 SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH,
550 requestUid ? user.getUid() : 0);
552 Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
554 InstallRequest requestPrivateUser;
556 //install app for non-root user
557 //should succeed - this time i register folder inside user's home dir
558 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
559 SECURITY_MANAGER_PATH_PRIVATE, appDir.c_str(),
560 requestUid ? user.getUid() : 0);
562 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
563 requestPrivateUser.addPrivilege(privilege.c_str());
565 Api::install(requestPrivateUser);
567 check_app_permissions(sm_app_id, sm_pkg_id,
568 uidToStr(user.getUid()).c_str(),
569 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
572 static void createTestDir(const std::string &dir)
574 mode_t dirMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
575 mode_t execFileMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
576 mode_t normalFileMode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
578 mkdirSafe(dir, dirMode);
579 creatSafe(dir + "/" + EXEC_FILE, execFileMode);
580 creatSafe(dir + "/" + NORMAL_FILE, normalFileMode);
581 symlinkSafe(dir + "/" + EXEC_FILE, dir + "/" + LINK_PREFIX + EXEC_FILE);
582 symlinkSafe(dir + "/" + NORMAL_FILE, dir + "/" + LINK_PREFIX + NORMAL_FILE);
585 static void createInnerAppDir(const std::string &dir, const std::string &nonAppDir)
589 symlinkSafe(nonAppDir, dir + "/" + LINK_PREFIX + "non_app_dir");
590 symlinkSafe(nonAppDir + "/" + EXEC_FILE,
591 dir + "/" + LINK_PREFIX + "non_app_" + EXEC_FILE);
592 symlinkSafe(nonAppDir + "/" + NORMAL_FILE,
593 dir + "/" + LINK_PREFIX + "non_app_" + NORMAL_FILE);
596 static void generateAppDir(const TemporaryTestUser &user)
598 const std::string dir = appDirPath(user);
599 const std::string nonAppDir = nonAppDirPath(user);
601 createInnerAppDir(dir, nonAppDir);
602 createInnerAppDir(dir + "/.inner_dir", nonAppDir);
603 createInnerAppDir(dir + "/inner_dir", nonAppDir);
606 static void generateNonAppDir(const TemporaryTestUser &user)
608 const std::string dir = nonAppDirPath(user);
611 createTestDir(dir + "/.inner_dir");
612 createTestDir(dir + "/inner_dir");
615 static void createTestDirs(const TemporaryTestUser &user)
617 generateAppDir(user);
618 generateNonAppDir(user);
621 static void removeTestDirs(const TemporaryTestUser &user)
623 removeDir(appDirPath(user));
624 removeDir(nonAppDirPath(user));
627 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
630 const char *const sm_app_id = "sm_test_04a_app_id_uid";
631 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
632 const std::string new_user_name = "sm_test_04a_user_name";
634 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
636 removeTestDirs(testUser);
637 createTestDirs(testUser);
639 const std::string userAppDirPath = appDirPath(testUser);
641 //switch user to non-root
642 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
643 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
645 install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
647 //uninstall app as non-root user
648 InstallRequest request;
649 request.setAppId(sm_app_id);
651 Api::uninstall(request);
653 check_app_permissions(sm_app_id, sm_pkg_id,
654 uidToStr(testUser.getUid()).c_str(),
655 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
658 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
661 const char *const sm_app_id = "sm_test_04b_app_id_uid";
662 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
663 const std::string new_user_name = "sm_test_04b_user_name";
665 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
667 removeTestDirs(testUser);
668 createTestDirs(testUser);
670 install_and_check(sm_app_id, sm_pkg_id, testUser, appDirPath(testUser), true);
672 //switch user to non-root - root may not uninstall apps for specified users
673 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
674 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
676 //uninstall app as non-root user
677 InstallRequest request;
678 request.setAppId(sm_app_id);
680 Api::uninstall(request);
682 check_app_permissions(sm_app_id, sm_pkg_id,
683 uidToStr(testUser.getUid()).c_str(),
684 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
688 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
691 CapsSetsUniquePtr caps, caps_empty(cap_init());
693 caps.reset(cap_from_text("all=eip"));
694 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
695 result = cap_set_proc(caps.get());
696 RUNNER_ASSERT_MSG(result == 0,
697 "can't set capabilities. Result: " << result);
699 Api::dropProcessPrivileges();
701 caps.reset(cap_get_proc());
702 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
704 result = cap_compare(caps.get(), caps_empty.get());
705 RUNNER_ASSERT_MSG(result == 0,
706 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
709 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
711 const char *const app_id = "sm_test_06_app_id_install_app_offline";
712 const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
713 ServiceManager serviceManager("security-manager.service");
715 uninstall_app(app_id, pkg_id, true);
716 serviceManager.maskService();
717 serviceManager.stopService();
719 install_app(app_id, pkg_id);
721 serviceManager.unmaskService();
722 serviceManager.startService();
724 uninstall_app(app_id, pkg_id, true);
727 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
729 const char *const sm_app_id = "sm_test_07_app_id_user";
730 const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
731 const std::string new_user_name = "sm_test_07_user_name";
732 std::string uid_string;
733 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
734 uid_string = std::to_string(static_cast<unsigned int>(test_user.getUid()));
736 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
738 check_app_after_install(sm_app_id, sm_pkg_id);
742 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
744 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
747 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
749 UserRequest addUserRequest;
751 const char *const sm_app_id = "sm_test_08_app_id_user";
752 const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
753 const char *const new_user_name = "sm_test_08_user_name";
754 std::string uid_string;
757 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
758 uid_string = std::to_string(static_cast<unsigned int>(test_user.getUid()));
760 addUserRequest.setUid(test_user.getUid());
761 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
764 Api::addUser(addUserRequest);
766 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
768 check_app_after_install(sm_app_id, sm_pkg_id);
772 UserRequest deleteUserRequest;
773 deleteUserRequest.setUid(test_user.getUid());
775 Api::deleteUser(deleteUserRequest);
777 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
779 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
782 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
784 const char *const app_id = "security_manager_09_add_user_offline_app";
785 const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
786 const std::string username("sm_test_09_user_name");
787 ServiceManager serviceManager("security-manager.service");
788 serviceManager.maskService();
789 serviceManager.stopService();
791 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
793 install_app(app_id, pkg_id, user.getUid());
795 check_app_after_install(app_id, pkg_id);
797 serviceManager.unmaskService();
798 serviceManager.startService();
802 check_app_after_uninstall(app_id, pkg_id, true);
805 int main(int argc, char *argv[])
807 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);