1 #include <dpl/log/log.h>
2 #include <dpl/test/test_runner.h>
7 #include <unordered_set>
8 #include <sys/capability.h>
12 #include <sys/types.h>
14 #include <sys/socket.h>
16 #include <attr/xattr.h>
17 #include <linux/xattr.h>
20 #include <sys/types.h>
26 #include <libprivilege-control_test_common.h>
27 #include <tests_common.h>
29 #include <tzplatform_config.h>
30 #include <security-manager.h>
33 #include <sm_request.h>
34 #include <sm_user_request.h>
35 #include <temp_test_user.h>
36 #include <cynara_test_client.h>
37 #include <cynara_test_admin.h>
38 #include <service_manager.h>
39 #include <cynara_test_admin.h>
41 using namespace SecurityManagerTest;
43 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
44 DEFINE_SMARTPTR(tzplatform_context_destroy, tzplatform_context, TzPlatformContextPtr);
46 static const privileges_t SM_ALLOWED_PRIVILEGES = {
47 "http://tizen.org/privilege/location",
48 "http://tizen.org/privilege/camera"
51 static const privileges_t SM_DENIED_PRIVILEGES = {
52 "http://tizen.org/privilege/bluetooth",
53 "http://tizen.org/privilege/power"
56 static const privileges_t SM_NO_PRIVILEGES = {
59 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
61 static const char *const SM_RW_PATH = "/usr/apps/app_dir";
62 static const char *const SM_RO_PATH = "/usr/apps/app_dir_public_ro";
63 static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir";
65 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
66 static const std::string EXEC_FILE("exec");
67 static const std::string NORMAL_FILE("normal");
68 static const std::string LINK_PREFIX("link_to_");
70 static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
71 static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
72 static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings";
73 static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin";
75 static const std::vector<std::string> MANY_APPS = {
76 "security_manager_10_app_1",
77 "security_manager_10_app_2",
78 "security_manager_10_app_3",
79 "security_manager_10_app_4",
80 "security_manager_10_app_5"
83 static const std::map<std::string, std::string> MANY_APPS_PKGS = {
84 {"security_manager_10_app_1", "security_manager_10_pkg_1"},
85 {"security_manager_10_app_2", "security_manager_10_pkg_2"},
86 {"security_manager_10_app_3", "security_manager_10_pkg_3"},
87 {"security_manager_10_app_4", "security_manager_10_pkg_4"},
88 {"security_manager_10_app_5", "security_manager_10_pkg_5"},
89 {PRIVILEGE_MANAGER_APP, PRIVILEGE_MANAGER_PKG}
92 static const std::vector<privileges_t> MANY_APPS_PRIVILEGES = {
94 "http://tizen.org/privilege/internet",
95 "http://tizen.org/privilege/location"
98 "http://tizen.org/privilege/telephony",
99 "http://tizen.org/privilege/camera"
102 "http://tizen.org/privilege/contact.read",
103 "http://tizen.org/privilege/led",
104 "http://tizen.org/privilege/email"
107 "http://tizen.org/privilege/led",
108 "http://tizen.org/privilege/email",
109 "http://tizen.org/privilege/telephony",
110 "http://tizen.org/privilege/camera"
113 "http://tizen.org/privilege/internet",
114 "http://tizen.org/privilege/location",
115 "http://tizen.org/privilege/led",
116 "http://tizen.org/privilege/email"
120 static std::string generateAppLabel(const std::string &appId)
122 return "User::App::" + appId;
125 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
126 const char* correctLabel, bool transmute_test, bool exec_test)
130 char* label = nullptr;
133 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
134 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
135 labelPtr.reset(label);
136 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
137 result = strcmp(correctLabel, label);
138 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
139 " (should be '" << correctLabel << "' and is '" << label << "')");
143 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
144 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
145 labelPtr.reset(label);
147 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
148 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
149 result = strcmp(correctLabel, label);
150 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
152 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
156 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
157 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
158 labelPtr.reset(label);
160 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
161 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
162 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
163 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
165 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
171 // nftw doesn't allow passing user data to functions. Work around by using global variable
172 static std::string nftw_expected_label;
173 bool nftw_expected_transmute;
174 bool nftw_expected_exec;
176 static int nftw_check_sm_labels(const char *fpath, const struct stat *sb,
177 int /*typeflag*/, struct FTW* /*ftwbuf*/)
179 return nftw_check_sm_labels_app_dir(fpath, sb,
180 nftw_expected_label.c_str(), nftw_expected_transmute, nftw_expected_exec);
183 static void prepare_app_path()
187 result = nftw(SM_RW_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
188 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RW_PATH);
190 result = nftw(SM_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
191 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RO_PATH);
193 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
194 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
197 static void prepare_app_env()
202 static void check_app_path_after_install(const char *appId)
206 nftw_expected_label = generateAppLabel(appId);
207 nftw_expected_transmute = false;
208 nftw_expected_exec = true;
210 result = nftw(SM_RW_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
211 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH);
213 nftw_expected_label = "User::Home";
214 nftw_expected_transmute = true;
215 nftw_expected_exec = false;
217 result = nftw(SM_RO_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
218 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH);
220 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
221 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
225 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
226 const privileges_t &allowed_privs, const privileges_t &denied_privs)
229 std::string smackLabel = generateAppLabel(app_id);
231 CynaraTestClient::Client ctc;
233 for (auto &priv : allowed_privs) {
234 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
237 for (auto &priv : denied_privs) {
238 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
242 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
245 gid_t main_gid = getgid();
246 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
248 // Reset supplementary groups
249 ret = setgroups(0, NULL);
250 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
252 Api::setProcessGroups(app_id);
254 ret = getgroups(0, nullptr);
255 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
257 std::vector<gid_t> actual_gids(ret);
258 ret = getgroups(ret, actual_gids.data());
259 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
261 for (const auto &gid : actual_gids) {
262 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
263 "Application shouldn't get access to group " << gid);
264 reference_gids.erase(gid);
267 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
270 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
271 const privileges_t &allowed_privs,
272 const privileges_t &denied_privs,
273 const std::vector<std::string> &allowed_groups)
275 TestSecurityManagerDatabase dbtest;
276 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
277 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
279 /*Privileges should be granted to all users if root installs app*/
280 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
282 /* Setup mapping of gids to privileges */
283 /* Do this for each privilege for extra check */
284 for (const auto &privilege : allowed_privs) {
285 dbtest.setup_privilege_groups(privilege, allowed_groups);
288 std::vector<gid_t> allowed_gids;
290 for (const auto &groupName : allowed_groups) {
292 struct group* grp = getgrnam(groupName.c_str());
293 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
294 allowed_gids.push_back(grp->gr_gid);
297 check_app_gids(app_id, allowed_gids);
300 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
302 TestSecurityManagerDatabase dbtest;
303 dbtest.test_db_after__app_install(app_id, pkg_id);
306 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
307 const privileges_t &privileges, const bool is_pkg_removed)
309 TestSecurityManagerDatabase dbtest;
310 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
313 /*Privileges should not be granted anymore to any user*/
314 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
317 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
318 const bool is_pkg_removed)
320 TestSecurityManagerDatabase dbtest;
321 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
324 static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0)
326 InstallRequest request;
327 request.setAppId(app_id);
328 request.setPkgId(pkg_id);
330 Api::install(request);
332 check_app_after_install(app_id, pkg_id);
336 static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
338 InstallRequest request;
339 request.setAppId(app_id);
341 Api::uninstall(request);
343 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
346 static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
348 InstallRequest request;
349 request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
350 request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
352 request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
354 request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
355 Api::install(request);
356 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
359 static inline struct passwd *getUserStruct(const std::string &userName) {
360 struct passwd *pw = nullptr;
363 while(!(pw = getpwnam(userName.c_str()))) {
364 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
370 static inline struct passwd *getUserStruct(const uid_t uid) {
371 struct passwd *pw = nullptr;
374 while(!(pw = getpwuid(uid))) {
375 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
381 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
384 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
386 const char *const sm_app_id = "sm_test_01a_app_id_double";
387 const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
389 InstallRequest requestInst;
390 requestInst.setAppId(sm_app_id);
391 requestInst.setPkgId(sm_pkg_id);
393 Api::install(requestInst);
394 Api::install(requestInst);
396 /* Check records in the security-manager database */
397 check_app_after_install(sm_app_id, sm_pkg_id);
399 InstallRequest requestUninst;
400 requestUninst.setAppId(sm_app_id);
402 Api::uninstall(requestUninst);
403 Api::uninstall(requestUninst);
405 /* Check records in the security-manager database */
406 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
410 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
412 const char *const sm_app_id = "sm_test_01b_app";
413 const char *const sm_pkg_id = "sm_test_01b_pkg";
414 const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
416 InstallRequest requestInst;
417 requestInst.setAppId(sm_app_id);
418 requestInst.setPkgId(sm_pkg_id);
420 Api::install(requestInst);
422 InstallRequest requestInst2;
423 requestInst2.setAppId(sm_app_id);
424 requestInst2.setPkgId(sm_pkg_id_wrong);
426 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
429 /* Check records in the security-manager database */
430 check_app_after_install(sm_app_id, sm_pkg_id);
432 InstallRequest requestUninst;
433 requestUninst.setAppId(sm_app_id);
435 Api::uninstall(requestUninst);
438 /* Check records in the security-manager database */
439 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
443 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
445 const char * const sm_app_id = "SM_TEST_01c_APPID";
446 const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
447 const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
449 InstallRequest requestInst;
450 requestInst.setAppId(sm_app_id);
451 requestInst.setPkgId(sm_pkg_id);
453 Api::install(requestInst);
455 /* Check records in the security-manager database */
456 check_app_after_install(sm_app_id, sm_pkg_id);
458 InstallRequest requestUninst;
459 requestUninst.setAppId(sm_app_id);
460 requestUninst.setPkgId(sm_pkg_id_wrong);
462 Api::uninstall(requestUninst);
464 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
468 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
470 const char *const sm_app_id = "sm_test_02_app_id_full";
471 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
475 InstallRequest requestInst;
476 requestInst.setAppId(sm_app_id);
477 requestInst.setPkgId(sm_pkg_id);
478 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
479 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
480 requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
481 requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
483 Api::install(requestInst);
485 /* Check records in the security-manager database */
486 check_app_after_install(sm_app_id, sm_pkg_id,
487 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
489 /* TODO: add parameters to this function */
490 check_app_path_after_install(sm_app_id);
492 InstallRequest requestUninst;
493 requestUninst.setAppId(sm_app_id);
495 Api::uninstall(requestUninst);
497 /* Check records in the security-manager database,
498 * all previously allowed privileges should be removed */
499 check_app_after_uninstall(sm_app_id, sm_pkg_id,
500 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
503 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
505 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
506 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
507 const char *const socketLabel = "not_expected_label";
508 std::string expected_label = generateAppLabel(app_id);
509 char *label = nullptr;
513 uninstall_app(app_id, pkg_id, true);
514 install_app(app_id, pkg_id);
516 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
517 //Clean up before creating socket
519 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
520 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
521 SockUniquePtr sockPtr(&sock);
522 //Bind socket to address
523 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
524 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
525 //Set socket label to something different than expecedLabel
526 result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
527 strlen(socketLabel), 0);
528 RUNNER_ASSERT_ERRNO_MSG(result == 0,
529 "Can't set socket label. Result: " << result);
530 result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
531 strlen(socketLabel), 0);
532 RUNNER_ASSERT_ERRNO_MSG(result == 0,
533 "Can't set socket label. Result: " << result);
535 Api::setProcessLabel(app_id);
537 char value[SMACK_LABEL_LEN + 1];
539 size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
540 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
541 result = expected_label.compare(value);
542 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
543 expected_label << " Actual: " << value);
545 size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
546 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
547 result = expected_label.compare(value);
548 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
549 expected_label << " Actual: " << value);
551 result = smack_new_label_from_self(&label);
552 RUNNER_ASSERT_MSG(result >= 0,
553 " Error getting current process label");
554 RUNNER_ASSERT_MSG(label != nullptr,
555 " Process label is not set");
556 labelPtr.reset(label);
558 result = expected_label.compare(label);
559 RUNNER_ASSERT_MSG(result == 0,
560 " Process label is incorrect. Expected: \"" << expected_label <<
561 "\" Actual: \"" << label << "\"");
563 uninstall_app(app_id, pkg_id, true);
566 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
568 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
569 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
571 uninstall_app(app_id, pkg_id, true);
572 install_app(app_id, pkg_id);
574 Api::setProcessLabel(app_id);
576 uninstall_app(app_id, pkg_id, true);
579 static void prepare_request(InstallRequest &request,
580 const char *const app_id,
581 const char *const pkg_id,
582 app_install_path_type pathType,
583 const char *const path,
586 request.setAppId(app_id);
587 request.setPkgId(pkg_id);
588 request.addPath(path, pathType);
594 static uid_t getGlobalUserId(void)
596 return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
599 static const std::string appDirPath(const TemporaryTestUser &user,
600 const std::string &appId, const std::string &pkgId)
602 struct tzplatform_context *tzCtxPtr = nullptr;
604 RUNNER_ASSERT(0 == tzplatform_context_create(&tzCtxPtr));
605 TzPlatformContextPtr tzCtxPtrSmart(tzCtxPtr);
607 RUNNER_ASSERT_MSG(0 == tzplatform_context_set_user(tzCtxPtr, user.getUid()),
608 "Unable to set user <" << user.getUserName() << "> for tzplatform context");
610 const char *appDir = tzplatform_context_getenv(tzCtxPtr,
611 getGlobalUserId() == user.getUid() ? TZ_SYS_RW_APP : TZ_USER_APP);
612 RUNNER_ASSERT_MSG(nullptr != appDir,
613 "tzplatform_context_getenv failed"
614 << "for getting sys rw app of user <" << user.getUserName() << ">");
616 return std::string(appDir) + "/" + pkgId + "/" + appId;
619 static const std::string nonAppDirPath(const TemporaryTestUser &user)
621 return TMP_DIR + "/" + user.getUserName();
624 static const std::string uidToStr(const uid_t uid)
626 return std::to_string(static_cast<unsigned int>(uid));
629 static void install_and_check(const char *const sm_app_id,
630 const char *const sm_pkg_id,
631 const TemporaryTestUser& user,
632 const std::string &appDir,
635 InstallRequest requestPublic;
637 //install app for non-root user and try to register public path (should fail)
638 prepare_request(requestPublic, sm_app_id, sm_pkg_id,
639 SECURITY_MANAGER_PATH_PUBLIC, appDir.c_str(),
640 requestUid ? user.getUid() : 0);
642 Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
644 InstallRequest requestPrivate;
646 //install app for non-root user
647 //should fail (users may only register folders inside their home)
648 prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
649 SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
650 requestUid ? user.getUid() : 0);
652 Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
654 InstallRequest requestPrivateUser;
656 //install app for non-root user
657 //should succeed - this time i register folder inside user's home dir
658 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
659 SECURITY_MANAGER_PATH_RW, appDir.c_str(),
660 requestUid ? user.getUid() : 0);
662 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
663 requestPrivateUser.addPrivilege(privilege.c_str());
665 Api::install(requestPrivateUser);
667 check_app_permissions(sm_app_id, sm_pkg_id,
668 uidToStr(user.getUid()).c_str(),
669 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
672 static void createTestDir(const std::string &dir)
674 mode_t dirMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
675 mode_t execFileMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
676 mode_t normalFileMode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
678 mktreeSafe(dir, dirMode);
679 creatSafe(dir + "/" + EXEC_FILE, execFileMode);
680 creatSafe(dir + "/" + NORMAL_FILE, normalFileMode);
681 symlinkSafe(dir + "/" + EXEC_FILE, dir + "/" + LINK_PREFIX + EXEC_FILE);
682 symlinkSafe(dir + "/" + NORMAL_FILE, dir + "/" + LINK_PREFIX + NORMAL_FILE);
685 static void createInnerAppDir(const std::string &dir, const std::string &nonAppDir)
689 symlinkSafe(nonAppDir, dir + "/" + LINK_PREFIX + "non_app_dir");
690 symlinkSafe(nonAppDir + "/" + EXEC_FILE,
691 dir + "/" + LINK_PREFIX + "non_app_" + EXEC_FILE);
692 symlinkSafe(nonAppDir + "/" + NORMAL_FILE,
693 dir + "/" + LINK_PREFIX + "non_app_" + NORMAL_FILE);
696 static void generateAppDir(const TemporaryTestUser &user,
697 const std::string &appId, const std::string &pkgId)
699 const std::string dir = appDirPath(user, appId, pkgId);
700 const std::string nonAppDir = nonAppDirPath(user);
702 createInnerAppDir(dir, nonAppDir);
703 createInnerAppDir(dir + "/.inner_dir", nonAppDir);
704 createInnerAppDir(dir + "/inner_dir", nonAppDir);
707 static void generateNonAppDir(const TemporaryTestUser &user)
709 const std::string dir = nonAppDirPath(user);
712 createTestDir(dir + "/.inner_dir");
713 createTestDir(dir + "/inner_dir");
716 static void createTestDirs(const TemporaryTestUser &user,
717 const std::string &appId, const std::string &pkgId)
719 generateAppDir(user, appId, pkgId);
720 generateNonAppDir(user);
723 static void removeTestDirs(const TemporaryTestUser &user,
724 const std::string &appId, const std::string &pkgId)
726 removeDir(appDirPath(user, appId, pkgId));
727 removeDir(nonAppDirPath(user));
730 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
733 const char *const sm_app_id = "sm_test_04a_app_id_uid";
734 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
735 const std::string new_user_name = "sm_test_04a_user_name";
737 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
740 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
741 createTestDirs(testUser, sm_app_id, sm_pkg_id);
743 const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
745 //switch user to non-root
746 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
747 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
749 install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
751 //uninstall app as non-root user
752 InstallRequest request;
753 request.setAppId(sm_app_id);
755 Api::uninstall(request);
757 check_app_permissions(sm_app_id, sm_pkg_id,
758 uidToStr(testUser.getUid()).c_str(),
759 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
762 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
765 const char *const sm_app_id = "sm_test_04b_app_id_uid";
766 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
767 const std::string new_user_name = "sm_test_04b_user_name";
769 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
772 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
773 createTestDirs(testUser, sm_app_id, sm_pkg_id);
775 install_and_check(sm_app_id, sm_pkg_id, testUser, appDirPath(testUser, sm_app_id, sm_pkg_id), true);
777 //switch user to non-root - root may not uninstall apps for specified users
778 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
779 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
781 //uninstall app as non-root user
782 InstallRequest request;
783 request.setAppId(sm_app_id);
785 Api::uninstall(request);
787 check_app_permissions(sm_app_id, sm_pkg_id,
788 uidToStr(testUser.getUid()).c_str(),
789 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
793 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
796 CapsSetsUniquePtr caps, caps_empty(cap_init());
798 caps.reset(cap_from_text("all=eip"));
799 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
800 result = cap_set_proc(caps.get());
801 RUNNER_ASSERT_MSG(result == 0,
802 "can't set capabilities. Result: " << result);
804 Api::dropProcessPrivileges();
806 caps.reset(cap_get_proc());
807 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
809 result = cap_compare(caps.get(), caps_empty.get());
810 RUNNER_ASSERT_MSG(result == 0,
811 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
814 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
816 const char *const app_id = "sm_test_06_app_id_install_app_offline";
817 const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
818 ServiceManager serviceManager("security-manager.service");
820 uninstall_app(app_id, pkg_id, true);
821 serviceManager.maskService();
822 serviceManager.stopService();
824 install_app(app_id, pkg_id);
826 serviceManager.unmaskService();
827 serviceManager.startService();
829 uninstall_app(app_id, pkg_id, true);
832 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
834 const char *const sm_app_id = "sm_test_07_app_id_user";
835 const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
836 const std::string new_user_name = "sm_test_07_user_name";
837 std::string uid_string;
838 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
840 test_user.getUidString(uid_string);
842 removeTestDirs(test_user, sm_app_id, sm_pkg_id);
843 createTestDirs(test_user, sm_app_id, sm_pkg_id);
845 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
847 check_app_after_install(sm_app_id, sm_pkg_id);
851 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
853 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
856 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
858 UserRequest addUserRequest;
860 const char *const sm_app_id = "sm_test_08_app_id_user";
861 const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
862 const std::string new_user_name = "sm_test_08_user_name";
863 std::string uid_string;
866 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
868 test_user.getUidString(uid_string);
870 removeTestDirs(test_user, sm_app_id, sm_pkg_id);
871 createTestDirs(test_user, sm_app_id, sm_pkg_id);
873 addUserRequest.setUid(test_user.getUid());
874 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
877 Api::addUser(addUserRequest);
879 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
881 check_app_after_install(sm_app_id, sm_pkg_id);
885 UserRequest deleteUserRequest;
886 deleteUserRequest.setUid(test_user.getUid());
888 Api::deleteUser(deleteUserRequest);
890 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
892 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
895 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
897 const char *const app_id = "security_manager_09_add_user_offline_app";
898 const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
899 const std::string new_user_name("sm_test_09_user_name");
900 ServiceManager serviceManager("security-manager.service");
901 serviceManager.maskService();
902 serviceManager.stopService();
904 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
907 removeTestDirs(test_user, app_id, pkg_id);
908 createTestDirs(test_user, app_id, pkg_id);
910 install_app(app_id, pkg_id, test_user.getUid());
912 check_app_after_install(app_id, pkg_id);
914 serviceManager.unmaskService();
915 serviceManager.startService();
919 check_app_after_uninstall(app_id, pkg_id, true);
922 RUNNER_MULTIPROCESS_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
925 const std::string username("sm_test_10_user_name");
926 unsigned int privileges_count = 0;
928 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
929 std::map<std::string, std::set<std::string>> apps2PrivsMap;
931 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
932 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
933 MANY_APPS.at(i), std::set<std::string>(
934 MANY_APPS_PRIVILEGES.at(i).begin(),
935 MANY_APPS_PRIVILEGES.at(i).end())));
936 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
939 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
940 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
942 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
947 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
949 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
952 if (pid != 0) { //parent process
953 TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
956 for(const auto &user : users2AppsMap) {
958 for(const auto &app : user.second) {
959 InstallRequest requestInst;
960 requestInst.setAppId(app.first.c_str());
962 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
963 } catch (const std::out_of_range &e) {
964 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
966 requestInst.setUid(tmpUser.getUid());
968 for (const auto &privilege : app.second) {
969 requestInst.addPrivilege(privilege.c_str());
972 Api::install(requestInst);
975 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
977 //Start child process
979 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
987 if (pid == 0) { //child process
989 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
990 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
992 struct passwd *pw = getUserStruct(username);
993 register_current_process_as_privilege_manager(pw->pw_uid);
994 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
995 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
997 std::vector<PolicyEntry> policyEntries;
999 Api::getPolicy(filter, policyEntries);
1001 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1002 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1004 for (const auto &policyEntry : policyEntries) {
1005 std::string user = policyEntry.getUser();
1006 std::string app = policyEntry.getAppId();
1007 std::string privilege = policyEntry.getPrivilege();
1010 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1011 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1012 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1013 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1014 } catch (const std::out_of_range &e) {
1015 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1016 } catch (const std::invalid_argument& e) {
1017 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1024 RUNNER_MULTIPROCESS_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
1027 const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
1028 unsigned int privileges_count = 0;
1030 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1031 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1033 for (const auto &username : usernames) {
1034 //Only entries for one of the users will be listed
1035 privileges_count = 0;
1037 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1038 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1039 MANY_APPS.at(i), std::set<std::string>(
1040 MANY_APPS_PRIVILEGES.at(i).begin(),
1041 MANY_APPS_PRIVILEGES.at(i).end())));
1042 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1045 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1048 users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
1049 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1056 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1058 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1061 if (pid != 0) { //parent process
1062 std::vector<TemporaryTestUser> users = {
1063 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1064 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1067 users.at(0).create();
1068 users.at(1).create();
1070 //Install apps for both users
1071 for(const auto &user : users) {
1072 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1073 InstallRequest requestInst;
1074 requestInst.setAppId(app.first.c_str());
1076 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1077 } catch (const std::out_of_range &e) {
1078 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1080 requestInst.setUid(user.getUid());
1082 for (const auto &privilege : app.second) {
1083 requestInst.addPrivilege(privilege.c_str());
1086 Api::install(requestInst);
1089 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1093 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1098 for(auto &user : users) {
1105 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
1106 struct passwd *pw = getUserStruct(usernames.at(0));
1107 register_current_process_as_privilege_manager(pw->pw_uid);
1109 //change uid to normal user
1111 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1112 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1114 std::vector<PolicyEntry> policyEntries;
1117 //this call should only return privileges belonging to the current uid
1118 Api::getPolicy(filter, policyEntries);
1120 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1121 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1123 for (const auto &policyEntry : policyEntries) {
1124 std::string user = policyEntry.getUser();
1125 std::string app = policyEntry.getAppId();
1126 std::string privilege = policyEntry.getPrivilege();
1129 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1130 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1131 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1132 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1133 } catch (const std::out_of_range &e) {
1134 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1135 } catch (const std::invalid_argument& e) {
1136 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1143 RUNNER_MULTIPROCESS_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
1146 const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
1147 unsigned int privileges_count = 0;
1149 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1150 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1152 for (const auto &username : usernames) {
1154 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1155 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1156 MANY_APPS.at(i), std::set<std::string>(
1157 MANY_APPS_PRIVILEGES.at(i).begin(),
1158 MANY_APPS_PRIVILEGES.at(i).end())));
1159 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1162 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1165 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1166 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
1168 privileges_count += 2;
1173 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1175 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1178 if (pid != 0) { //parent process
1179 std::vector<TemporaryTestUser> users = {
1180 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1181 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1184 users.at(0).create();
1185 users.at(1).create();
1186 //Install apps for both users
1187 for(const auto &user : users) {
1188 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1189 InstallRequest requestInst;
1190 requestInst.setAppId(app.first.c_str());
1192 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1193 } catch (const std::out_of_range &e) {
1194 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1196 requestInst.setUid(user.getUid());
1198 for (const auto &privilege : app.second) {
1199 requestInst.addPrivilege(privilege.c_str());
1202 Api::install(requestInst);
1205 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1210 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1212 //Wait for child to finish
1216 for(auto &user : users) {
1221 if (pid == 0) { //child process
1223 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
1225 struct passwd *pw = getUserStruct(usernames.at(1));
1226 register_current_process_as_privilege_manager(pw->pw_uid, true);
1228 //change uid to normal user
1229 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1230 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1232 std::vector<PolicyEntry> policyEntries;
1234 //this call should succeed as the calling user is privileged
1235 Api::getPolicy(filter, policyEntries);
1237 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1238 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1240 for (const auto &policyEntry : policyEntries) {
1241 std::string user = policyEntry.getUser();
1242 std::string app = policyEntry.getAppId();
1243 std::string privilege = policyEntry.getPrivilege();
1246 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1247 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1248 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1249 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1250 } catch (const std::out_of_range &e) {
1251 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1252 } catch (const std::invalid_argument& e) {
1253 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1261 RUNNER_MULTIPROCESS_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
1264 const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
1266 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1267 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1269 for (const auto &username : usernames) {
1271 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1272 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1273 MANY_APPS.at(i), std::set<std::string>(
1274 MANY_APPS_PRIVILEGES.at(i).begin(),
1275 MANY_APPS_PRIVILEGES.at(i).end())));
1278 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1281 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1282 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1289 RUNNER_ASSERT_MSG(((mutex[0] = sem_open("mutex_1", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #1, errno: " << errno);
1291 RUNNER_ASSERT_MSG(((mutex[1] = sem_open("mutex_2", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #2, errno: " << errno);
1293 RUNNER_ASSERT_MSG(sem_init(mutex[0], 1, 0) == 0, "failed to setup mutex #1, errno: " << errno);
1295 RUNNER_ASSERT_MSG(sem_init(mutex[1], 1, 0) == 0, "failed to setup mutex #2, errno: " << errno);
1296 std::vector<PolicyEntry> policyEntries;
1300 if(pid[0] == 0) { //child #1 process
1301 RUNNER_ASSERT_MSG(sem_wait(mutex[0]) == 0, "sem_wait in child #1 failed, errno: " << errno);
1302 struct passwd *pw = getUserStruct(usernames.at(0));
1303 register_current_process_as_privilege_manager(pw->pw_uid);
1305 //change uid to normal user
1306 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1307 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1310 PolicyRequest policyRequest;
1311 //this call should succeed as the calling user is privileged
1312 Api::getPolicyForSelf(filter, policyEntries);
1314 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1316 PolicyEntry policyEntry(
1318 std::to_string(pw->pw_uid),
1319 "http://tizen.org/privilege/internet"
1321 policyEntry.setLevel("Deny");
1323 policyRequest.addEntry(policyEntry);
1324 policyEntry = PolicyEntry(
1326 std::to_string(pw->pw_uid),
1327 "http://tizen.org/privilege/location"
1329 policyEntry.setLevel("Deny");
1331 policyRequest.addEntry(policyEntry);
1332 Api::sendPolicy(policyRequest);
1333 Api::getPolicyForSelf(filter, policyEntries);
1335 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1339 if (pid[0] != 0) {//parent process
1342 if (pid[1] == 0) { //child #2 process
1344 RUNNER_ASSERT_MSG(sem_wait(mutex[1]) == 0, "sem_wait in child #2 failed, errno: " << errno);
1345 struct passwd *pw_target = getUserStruct(usernames.at(0));
1346 struct passwd *pw = getUserStruct(usernames.at(1));
1347 register_current_process_as_privilege_manager(pw->pw_uid);
1349 //change uid to normal user
1350 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1351 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1353 PolicyEntry filter = PolicyEntry(
1354 SECURITY_MANAGER_ANY,
1355 std::to_string(pw_target->pw_uid),
1356 SECURITY_MANAGER_ANY
1359 //U2 requests contents of U1 privacy manager - should fail
1360 Api::getPolicyForSelf(filter, policyEntries);
1361 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1363 filter = PolicyEntry(
1364 SECURITY_MANAGER_ANY,
1365 SECURITY_MANAGER_ANY,
1366 SECURITY_MANAGER_ANY
1369 policyEntries.clear();
1371 //U2 requests contents of ADMIN bucket - should fail
1372 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
1373 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1377 if (pid[1] != 0) { //parent
1379 std::vector<TemporaryTestUser> users = {
1380 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1381 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1384 users.at(0).create();
1385 users.at(1).create();
1387 //Install apps for both users
1388 for(const auto &user : users2AppsMap) {
1390 for(const auto &app : user.second) {
1391 InstallRequest requestInst;
1392 requestInst.setAppId(app.first.c_str());
1394 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1395 } catch (const std::out_of_range &e) {
1396 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1398 requestInst.setUid(users.at(0).getUid());
1400 for (const auto &privilege : app.second) {
1401 requestInst.addPrivilege(privilege.c_str());
1404 Api::install(requestInst);
1407 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1413 RUNNER_ASSERT_MSG(sem_post(mutex[0]) == 0, "Error while opening mutex #1, errno: " << errno);
1415 //Wait until child #1 finishes
1416 pid_t ret = wait(&status);
1417 RUNNER_ASSERT_MSG((ret != -1) && WIFEXITED(status), "Updating privileges failed");
1421 RUNNER_ASSERT_MSG(sem_post(mutex[1]) == 0, "Error while opening mutex #2, errno: " << errno);
1422 //Wait until child #2 finishes
1423 ret = wait(&status);
1424 RUNNER_ASSERT_MSG((ret =-1) && WIFEXITED(status), "Listing privileges failed");
1426 for(auto &user : users) {
1430 sem_close(mutex[0]);
1431 sem_close(mutex[1]);
1436 RUNNER_MULTIPROCESS_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
1439 const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
1440 unsigned int privileges_count = 0;
1442 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1443 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1445 for (const auto &username : usernames) {
1447 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1448 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1449 MANY_APPS.at(i), std::set<std::string>(
1450 MANY_APPS_PRIVILEGES.at(i).begin(),
1451 MANY_APPS_PRIVILEGES.at(i).end())));
1452 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1455 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1458 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1459 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1461 privileges_count += 2;
1465 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1467 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1471 std::vector<TemporaryTestUser> users = {
1472 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1473 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1476 users.at(0).create();
1477 users.at(1).create();
1479 //Install apps for both users
1480 for(const auto &user : users) {
1482 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1483 InstallRequest requestInst;
1484 requestInst.setAppId(app.first.c_str());
1486 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1487 } catch (const std::out_of_range &e) {
1488 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1490 requestInst.setUid(user.getUid());
1492 for (const auto &privilege : app.second) {
1493 requestInst.addPrivilege(privilege.c_str());
1496 Api::install(requestInst);
1499 //Start child process
1501 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1503 //Wait for child process to finish
1506 //switch back to root
1507 for(auto &user : users) {
1514 if (pid == 0) { //child process
1516 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
1518 struct passwd *pw = getUserStruct(usernames.at(0));
1519 register_current_process_as_privilege_manager(pw->pw_uid, true);
1521 //change uid to normal user
1522 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1523 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1525 PolicyRequest *policyRequest = new PolicyRequest();
1527 std::vector<PolicyEntry> policyEntries;
1528 //this call should succeed as the calling user is privileged
1529 Api::getPolicyForSelf(filter, policyEntries);
1531 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1533 PolicyEntry policyEntry(
1534 SECURITY_MANAGER_ANY,
1535 SECURITY_MANAGER_ANY,
1536 "http://tizen.org/privilege/internet"
1538 policyEntry.setMaxLevel("Deny");
1540 policyRequest->addEntry(policyEntry);
1541 policyEntry = PolicyEntry(
1542 SECURITY_MANAGER_ANY,
1543 SECURITY_MANAGER_ANY,
1544 "http://tizen.org/privilege/location"
1546 policyEntry.setMaxLevel("Deny");
1548 policyRequest->addEntry(policyEntry);
1549 Api::sendPolicy(*policyRequest);
1550 Api::getPolicyForAdmin(filter, policyEntries);
1552 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1554 delete policyRequest;
1555 policyRequest = new PolicyRequest();
1556 policyEntry = PolicyEntry(
1557 SECURITY_MANAGER_ANY,
1558 SECURITY_MANAGER_ANY,
1559 "http://tizen.org/privilege/internet"
1561 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
1562 policyRequest->addEntry(policyEntry);
1564 policyEntry = PolicyEntry(
1565 SECURITY_MANAGER_ANY,
1566 SECURITY_MANAGER_ANY,
1567 "http://tizen.org/privilege/location"
1569 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
1571 policyRequest->addEntry(policyEntry);
1572 Api::sendPolicy(*policyRequest);
1574 policyEntries.clear();
1575 Api::getPolicyForAdmin(filter, policyEntries);
1576 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
1578 delete policyRequest;
1585 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
1587 const char *const update_app_id = "security_manager_15_update_app_id";
1588 const char *const update_privilege = "http://tizen.org/privilege/led";
1589 const char *const check_start_bucket = "ADMIN";
1590 const std::string username("sm_test_15_username");
1591 PolicyRequest addPolicyRequest;
1592 CynaraTestAdmin::Admin admin;
1603 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1605 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
1609 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1610 if (pid != 0)//parent process
1612 FdUniquePtr pipeptr(pipefd+1);
1615 register_current_process_as_privilege_manager(user.getUid(), true);
1617 //send info to child
1618 msg.uid = user.getUid();
1619 msg.gid = user.getGid();
1621 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1622 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1625 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1627 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
1628 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1632 FdUniquePtr pipeptr(pipefd);
1635 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1636 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1638 //become admin privacy manager manager
1639 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1640 result = drop_root_privileges(msg.uid, msg.gid);
1641 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1643 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1644 entry.setMaxLevel("Allow");
1646 addPolicyRequest.addEntry(entry);
1647 Api::sendPolicy(addPolicyRequest);
1652 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
1654 const char *const update_other_app_id = "security_manager_15_update_other_app_id";
1655 const char *const update_privilege = "http://tizen.org/privilege/led";
1656 const char *const check_start_bucket = "ADMIN";
1657 const std::string username("sm_test_15_username");
1658 PolicyRequest addPolicyRequest;
1659 CynaraTestAdmin::Admin admin;
1670 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1672 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
1676 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1677 if (pid != 0)//parent process
1679 FdUniquePtr pipeptr(pipefd+1);
1682 register_current_process_as_privilege_manager(user.getUid(), true);
1684 //send info to child
1685 msg.uid = user.getUid();
1686 msg.gid = user.getGid();
1688 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1689 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1692 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1694 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
1695 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1699 FdUniquePtr pipeptr(pipefd);
1702 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1703 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1705 //become admin privacy manager manager
1706 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1707 result = drop_root_privileges(msg.uid, msg.gid);
1708 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1710 // use wildcard as appId
1711 PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1712 entry.setMaxLevel("Allow");
1714 addPolicyRequest.addEntry(entry);
1715 Api::sendPolicy(addPolicyRequest);
1720 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
1722 const char *const update_app_id = "security_manager_15_update_app_id";
1723 const char *const update_privilege = "http://tizen.org/privilege/led";
1724 const char *const check_start_bucket = "";
1725 const std::string username("sm_test_15_username");
1726 PolicyRequest addPolicyRequest;
1727 CynaraTestAdmin::Admin admin;
1738 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1740 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1744 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1745 if (pid != 0)//parent process
1747 FdUniquePtr pipeptr(pipefd+1);
1750 register_current_process_as_privilege_manager(user.getUid(), false);
1752 //send info to child
1753 msg.uid = user.getUid();
1754 msg.gid = user.getGid();
1756 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1757 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1760 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1762 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
1763 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1767 FdUniquePtr pipeptr(pipefd);
1770 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1771 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1773 //become admin privacy manager manager
1774 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1775 result = drop_root_privileges(msg.uid, msg.gid);
1776 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1778 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1779 entry.setLevel("Allow");
1781 addPolicyRequest.addEntry(entry);
1782 Api::sendPolicy(addPolicyRequest);
1787 RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get)
1789 const std::string username("sm_test_16_user_cynara_policy");
1790 CynaraTestAdmin::Admin admin;
1800 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1802 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1806 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1807 if (pid != 0)//parent process
1809 FdUniquePtr pipeptr(pipefd+1);
1812 //send info to child
1813 msg.uid = user.getUid();
1814 msg.gid = user.getGid();
1816 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1817 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1820 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1826 std::string allow_policy, deny_policy;
1828 FdUniquePtr pipeptr(pipefd);
1831 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1832 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1834 //become admin privacy manager manager
1835 result = drop_root_privileges(msg.uid, msg.gid);
1836 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1838 // without plugins there should only be 2 policies - Allow and Deny
1839 ret = security_manager_policy_levels_get(&levels, &count);
1841 RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
1842 "Invlid return code: " << ret);
1844 RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast<int>(count));
1846 deny_policy = std::string(levels[0]);
1847 allow_policy = std::string(levels[count-1]);
1849 // first should always be Deny
1850 RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
1851 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
1853 // last should always be Allow
1854 RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
1855 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
1857 security_manager_policy_levels_free(levels, count);
1862 RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
1864 const char *const update_app_id = "security_manager_17_update_app_id";
1865 const char *const update_privilege = "http://tizen.org/privilege/led";
1866 const char *const check_start_bucket = "";
1867 const std::string username("sm_test_17_username");
1868 PolicyRequest addPolicyRequest;
1869 CynaraTestAdmin::Admin admin;
1881 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1882 RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
1884 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1888 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1889 if (pid != 0)//parent process
1891 FdUniquePtr pipeptr(pipefd+1);
1894 register_current_process_as_privilege_manager(user.getUid(), false);
1896 //send info to child
1897 msg.uid = user.getUid();
1898 msg.gid = user.getGid();
1900 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1901 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1904 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1906 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
1907 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1910 if (pid != 0)//parent process
1912 FdUniquePtr pipeptr(pipefd2+1);
1915 //send info to child
1916 msg.uid = user.getUid();
1917 msg.gid = user.getGid();
1919 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
1920 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1923 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1926 waitpid(-1, &result, 0);
1928 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
1929 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
1933 FdUniquePtr pipeptr(pipefd2);
1936 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
1937 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1939 //become admin privacy manager manager
1940 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1941 result = drop_root_privileges(msg.uid, msg.gid);
1942 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1944 // delete this entry
1945 PolicyRequest deletePolicyRequest;
1946 PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1947 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
1949 deletePolicyRequest.addEntry(deleteEntry);
1950 Api::sendPolicy(deletePolicyRequest);
1956 FdUniquePtr pipeptr(pipefd);
1959 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1960 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1962 //become admin privacy manager manager
1963 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1964 result = drop_root_privileges(msg.uid, msg.gid);
1965 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1967 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1968 entry.setLevel("Allow");
1970 addPolicyRequest.addEntry(entry);
1971 Api::sendPolicy(addPolicyRequest);
1976 RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
1978 const std::string username("sm_test_17_user_name");
1983 unsigned int privileges_count;
1990 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1993 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1994 if (pid != 0)//parent process
1996 FdUniquePtr pipeptr(pipefd+1);
1999 TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
2002 unsigned int privileges_count = 0;
2004 register_current_process_as_privilege_manager(user.getUid(), false);
2005 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
2008 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
2009 InstallRequest requestInst;
2010 requestInst.setAppId(MANY_APPS[i].c_str());
2011 requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str());
2012 requestInst.setUid(user.getUid());
2014 for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) {
2015 requestInst.addPrivilege(priv.c_str());
2018 Api::install(requestInst);
2019 privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
2022 //send info to child
2023 msg.uid = user.getUid();
2024 msg.gid = user.getGid();
2025 msg.privileges_count = privileges_count;
2027 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
2028 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
2031 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
2035 FdUniquePtr pipeptr(pipefd);
2038 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
2039 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
2041 //become admin privacy manager manager
2042 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
2043 result = drop_root_privileges(msg.uid, msg.gid);
2044 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
2046 // filter by privilege
2047 std::vector<PolicyEntry> policyEntries;
2048 PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
2049 Api::getPolicy(filter, policyEntries);
2051 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2052 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
2054 // filter by other privilege
2055 policyEntries.clear();
2056 PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
2057 Api::getPolicy(filter2, policyEntries);
2059 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2060 RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
2063 policyEntries.clear();
2064 PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
2065 Api::getPolicy(filter3, policyEntries);
2067 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2068 RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
2072 RUNNER_CHILD_TEST(security_manager_10_user_cynara_policy)
2074 const char *const MAIN_BUCKET = "MAIN";
2075 const char *const MANIFESTS_BUCKET = "MANIFESTS";
2076 const char *const ADMIN_BUCKET = "ADMIN";
2077 const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
2078 const std::string username("sm_test_10_user_cynara_policy");
2079 CynaraTestAdmin::Admin admin;
2080 std::string uid_string;
2081 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2083 user.getUidString(uid_string);
2085 CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
2086 nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
2087 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
2090 CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
2092 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2093 admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2094 admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2095 admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2098 RUNNER_CHILD_TEST(security_manager_11_security_manager_cmd_install)
2101 const int SUCCESS = 0;
2102 const int FAILURE = 256;
2103 const std::string app_id = "security_manager_10_app";
2104 const std::string pkg_id = "security_manager_10_pkg";
2105 const std::string username("sm_test_10_user_name");
2106 std::string uid_string;
2107 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2109 user.getUidString(uid_string);
2110 const std::string path1 = "/home/" + username + "/p1";
2111 const std::string path2 = "/home/" + username + "/p2";
2112 const std::string pkgopt = " --pkg=" + pkg_id;
2113 const std::string appopt = " --app=" + app_id;
2114 const std::string uidopt = " --uid=" + uid_string;
2116 mkdir(path1.c_str(), 0);
2117 mkdir(path2.c_str(), 0);
2119 const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
2122 std::string command;
2123 int expected_result;
2125 std::vector<struct operation> operations = {
2126 {"security-manager-cmd", FAILURE},//no option
2127 {"security-manager-cmd --blah", FAILURE},//blah option is not known
2128 {"security-manager-cmd --help", SUCCESS},
2129 {"security-manager-cmd --install", FAILURE},//no params
2130 {"security-manager-cmd -i", FAILURE},//no params
2131 {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
2132 {installcmd, SUCCESS},
2133 {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
2134 {installcmd + " --path " + path1 + " private", SUCCESS},
2135 {installcmd + " --path " + path1, FAILURE},//no path type
2136 {installcmd + " --path " + path1 + " private" + " --path " + path2 + " private", SUCCESS},
2137 {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " public", FAILURE},//wrong path type
2138 {installcmd + " --path " + path1 + " private" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
2141 for (auto &op : operations) {
2142 ret = system(op.command.c_str());
2143 RUNNER_ASSERT_MSG(ret == op.expected_result,
2144 "Unexpected result for command '" << op.command <<"': "
2145 << ret << " Expected was: "<< op.expected_result);
2149 RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users)
2152 const int SUCCESS = 0;
2153 const int FAILURE = 256;
2154 const std::string username("sm_test_11_user_name");
2155 std::string uid_string;
2156 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2158 user.getUidString(uid_string);
2159 const std::string uidopt = " --uid=" + uid_string;
2162 std::string command;
2163 int expected_result;
2165 std::vector<struct operation> operations = {
2166 {"security-manager-cmd --manage-users=remove", FAILURE},//no params
2167 {"security-manager-cmd -m", FAILURE},//no params
2168 {"security-manager-cmd -mr", FAILURE},//no uid
2169 {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
2170 {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
2171 {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
2172 {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
2173 {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
2174 {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
2175 {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
2176 {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
2179 for (auto &op : operations) {
2180 ret = system(op.command.c_str());
2181 RUNNER_ASSERT_MSG(ret == op.expected_result,
2182 "Unexpected result for command '" << op.command <<"': "
2183 << ret << " Expected was: "<< op.expected_result);
2187 RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
2189 const int BUFFER_SIZE = 128;
2193 char buf[BUFFER_SIZE];
2196 privileges_t admin_required_privs = {
2197 "http://tizen.org/privilege/systemsettings.admin",
2198 "http://tizen.org/privilege/systemsettings"};
2199 privileges_t manifest_privs = {
2200 "http://tizen.org/privilege/internet",
2201 "http://tizen.org/privilege/camera"};
2202 privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
2203 privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
2205 const std::string pirivman_id = "sm_test_13_ADMIN_APP";
2206 const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
2207 const std::string app_id = "sm_test_13_SOME_APP";
2208 const std::string pkg_id = "sm_test_13_SOME_PKG";
2214 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
2216 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
2217 if (pid != 0)//parent process
2219 std::string childuidstr;
2220 TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
2221 TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
2223 InstallRequest request,request2;
2224 FdUniquePtr pipeptr(pipefd+1);
2229 child.getUidString(childuidstr);
2231 //install privacy manager for admin
2232 request.setAppId(pirivman_id.c_str());
2233 request.setPkgId(pirivman_pkg_id.c_str());
2234 request.setUid(admin.getUid());
2235 for (auto &priv: admin_required_privs)
2236 request.addPrivilege(priv.c_str());
2237 Api::install(request);
2239 //install app for child that has internet privilege
2240 request2.setAppId(app_id.c_str());
2241 request2.setPkgId(pkg_id.c_str());
2242 request2.setUid(child.getUid());
2243 for (auto &priv: manifest_privs)
2244 request2.addPrivilege(priv.c_str());
2245 Api::install(request2);
2247 check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
2248 manifest_privs, SM_NO_PRIVILEGES);
2250 //send info to child
2251 msg.uid = admin.getUid();
2252 msg.gid = admin.getGid();
2253 strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
2255 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
2256 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
2259 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
2261 check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
2262 real_privs_allow, real_privs_deny);
2264 if (pid == 0)//child
2266 FdUniquePtr pipeptr(pipefd);
2269 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
2270 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
2272 //become admin privacy manager manager
2273 Api::setProcessLabel(pirivman_id.c_str());
2274 result = drop_root_privileges(msg.uid, msg.gid);
2275 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
2276 PolicyRequest addPolicyReq;
2278 for (auto &denypriv:real_privs_deny) {
2279 /*this entry will deny some privileges for user whose uid (as c string)
2280 was sent in message's buf field.
2281 That user would be denying internet for child in this case*/
2282 PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
2283 entry.setMaxLevel("Deny");
2284 addPolicyReq.addEntry(entry);
2286 Api::sendPolicy(addPolicyReq);
2291 int main(int argc, char *argv[])
2293 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
projects / platform / core / test / security-tests.git / blob