1 #include <dpl/log/log.h>
2 #include <dpl/test/test_runner.h>
7 #include <unordered_set>
8 #include <sys/capability.h>
12 #include <sys/types.h>
14 #include <sys/socket.h>
16 #include <attr/xattr.h>
17 #include <linux/xattr.h>
20 #include <sys/types.h>
26 #include <libprivilege-control_test_common.h>
27 #include <tests_common.h>
29 #include <tzplatform_config.h>
30 #include <security-manager.h>
33 #include <sm_request.h>
34 #include <sm_user_request.h>
35 #include <temp_test_user.h>
36 #include <cynara_test_client.h>
37 #include <cynara_test_admin.h>
38 #include <service_manager.h>
39 #include <cynara_test_admin.h>
41 using namespace SecurityManagerTest;
43 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
44 DEFINE_SMARTPTR(tzplatform_context_destroy, tzplatform_context, TzPlatformContextPtr);
46 static const privileges_t SM_ALLOWED_PRIVILEGES = {
47 "http://tizen.org/privilege/location",
48 "http://tizen.org/privilege/camera"
51 static const privileges_t SM_DENIED_PRIVILEGES = {
52 "http://tizen.org/privilege/bluetooth",
53 "http://tizen.org/privilege/power"
56 static const privileges_t SM_NO_PRIVILEGES = {
59 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
61 static const char *const SM_RW_PATH = "/usr/apps/app_dir";
62 static const char *const SM_RO_PATH = "/usr/apps/app_dir_public_ro";
63 static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir";
65 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
66 static const std::string EXEC_FILE("exec");
67 static const std::string NORMAL_FILE("normal");
68 static const std::string LINK_PREFIX("link_to_");
70 static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
71 static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
72 static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings";
73 static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin";
75 static const std::vector<std::string> MANY_APPS = {
76 "security_manager_10_app_1",
77 "security_manager_10_app_2",
78 "security_manager_10_app_3",
79 "security_manager_10_app_4",
80 "security_manager_10_app_5"
83 static const std::map<std::string, std::string> MANY_APPS_PKGS = {
84 {"security_manager_10_app_1", "security_manager_10_pkg_1"},
85 {"security_manager_10_app_2", "security_manager_10_pkg_2"},
86 {"security_manager_10_app_3", "security_manager_10_pkg_3"},
87 {"security_manager_10_app_4", "security_manager_10_pkg_4"},
88 {"security_manager_10_app_5", "security_manager_10_pkg_5"},
89 {PRIVILEGE_MANAGER_APP, PRIVILEGE_MANAGER_PKG}
92 static const std::vector<privileges_t> MANY_APPS_PRIVILEGES = {
94 "http://tizen.org/privilege/internet",
95 "http://tizen.org/privilege/location"
98 "http://tizen.org/privilege/telephony",
99 "http://tizen.org/privilege/camera"
102 "http://tizen.org/privilege/contact.read",
103 "http://tizen.org/privilege/led",
104 "http://tizen.org/privilege/email"
107 "http://tizen.org/privilege/led",
108 "http://tizen.org/privilege/email",
109 "http://tizen.org/privilege/telephony",
110 "http://tizen.org/privilege/camera"
113 "http://tizen.org/privilege/internet",
114 "http://tizen.org/privilege/location",
115 "http://tizen.org/privilege/led",
116 "http://tizen.org/privilege/email"
120 static void generateAppLabel(const std::string &appId, std::string &label)
126 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
127 const char* correctLabel, bool transmute_test, bool exec_test)
131 char* label = nullptr;
134 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
135 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
136 labelPtr.reset(label);
137 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
138 result = strcmp(correctLabel, label);
139 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
140 " (should be '" << correctLabel << "' and is '" << label << "')");
144 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
145 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
146 labelPtr.reset(label);
148 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
149 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
150 result = strcmp(correctLabel, label);
151 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
153 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
157 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
158 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
159 labelPtr.reset(label);
161 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
162 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
163 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
164 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
166 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
173 static int nftw_check_sm_labels_app_rw_dir(const char *fpath, const struct stat *sb,
174 int /*typeflag*/, struct FTW* /*ftwbuf*/)
176 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
179 static int nftw_check_sm_labels_app_ro_dir(const char *fpath, const struct stat *sb,
180 int /*typeflag*/, struct FTW* /*ftwbuf*/)
183 return nftw_check_sm_labels_app_dir(fpath, sb, "User::Home", true, false);
186 static void prepare_app_path()
190 result = nftw(SM_RW_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
191 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RW_PATH);
193 result = nftw(SM_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
194 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RO_PATH);
196 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
197 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
200 static void prepare_app_env()
205 /* TODO: add parameters to this function */
206 static void check_app_path_after_install()
210 result = nftw(SM_RW_PATH, &nftw_check_sm_labels_app_rw_dir, FTW_MAX_FDS, FTW_PHYS);
211 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH);
213 result = nftw(SM_RO_PATH, &nftw_check_sm_labels_app_ro_dir, FTW_MAX_FDS, FTW_PHYS);
214 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH);
216 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
217 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
221 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
222 const privileges_t &allowed_privs, const privileges_t &denied_privs)
225 std::string smackLabel;
226 generateAppLabel(app_id, smackLabel);
228 CynaraTestClient::Client ctc;
230 for (auto &priv : allowed_privs) {
231 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
234 for (auto &priv : denied_privs) {
235 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
239 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
242 gid_t main_gid = getgid();
243 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
245 // Reset supplementary groups
246 ret = setgroups(0, NULL);
247 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
249 Api::setProcessGroups(app_id);
251 ret = getgroups(0, nullptr);
252 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
254 std::vector<gid_t> actual_gids(ret);
255 ret = getgroups(ret, actual_gids.data());
256 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
258 for (const auto &gid : actual_gids) {
259 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
260 "Application shouldn't get access to group " << gid);
261 reference_gids.erase(gid);
264 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
267 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
268 const privileges_t &allowed_privs,
269 const privileges_t &denied_privs,
270 const std::vector<std::string> &allowed_groups)
272 TestSecurityManagerDatabase dbtest;
273 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
274 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
276 /*Privileges should be granted to all users if root installs app*/
277 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
279 /* Setup mapping of gids to privileges */
280 /* Do this for each privilege for extra check */
281 for (const auto &privilege : allowed_privs) {
282 dbtest.setup_privilege_groups(privilege, allowed_groups);
285 std::vector<gid_t> allowed_gids;
287 for (const auto &groupName : allowed_groups) {
289 struct group* grp = getgrnam(groupName.c_str());
290 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
291 allowed_gids.push_back(grp->gr_gid);
294 check_app_gids(app_id, allowed_gids);
297 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
299 TestSecurityManagerDatabase dbtest;
300 dbtest.test_db_after__app_install(app_id, pkg_id);
303 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
304 const privileges_t &privileges, const bool is_pkg_removed)
306 TestSecurityManagerDatabase dbtest;
307 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
310 /*Privileges should not be granted anymore to any user*/
311 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
314 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
315 const bool is_pkg_removed)
317 TestSecurityManagerDatabase dbtest;
318 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
321 static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0)
323 InstallRequest request;
324 request.setAppId(app_id);
325 request.setPkgId(pkg_id);
327 Api::install(request);
329 check_app_after_install(app_id, pkg_id);
333 static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
335 InstallRequest request;
336 request.setAppId(app_id);
338 Api::uninstall(request);
340 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
343 static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
345 InstallRequest request;
346 request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
347 request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
349 request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
351 request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
352 Api::install(request);
353 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
356 static inline struct passwd *getUserStruct(const std::string &userName) {
357 struct passwd *pw = nullptr;
360 while(!(pw = getpwnam(userName.c_str()))) {
361 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
367 static inline struct passwd *getUserStruct(const uid_t uid) {
368 struct passwd *pw = nullptr;
371 while(!(pw = getpwuid(uid))) {
372 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
378 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
381 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
383 const char *const sm_app_id = "sm_test_01a_app_id_double";
384 const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
386 InstallRequest requestInst;
387 requestInst.setAppId(sm_app_id);
388 requestInst.setPkgId(sm_pkg_id);
390 Api::install(requestInst);
391 Api::install(requestInst);
393 /* Check records in the security-manager database */
394 check_app_after_install(sm_app_id, sm_pkg_id);
396 InstallRequest requestUninst;
397 requestUninst.setAppId(sm_app_id);
399 Api::uninstall(requestUninst);
400 Api::uninstall(requestUninst);
402 /* Check records in the security-manager database */
403 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
407 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
409 const char *const sm_app_id = "sm_test_01b_app";
410 const char *const sm_pkg_id = "sm_test_01b_pkg";
411 const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
413 InstallRequest requestInst;
414 requestInst.setAppId(sm_app_id);
415 requestInst.setPkgId(sm_pkg_id);
417 Api::install(requestInst);
419 InstallRequest requestInst2;
420 requestInst2.setAppId(sm_app_id);
421 requestInst2.setPkgId(sm_pkg_id_wrong);
423 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
426 /* Check records in the security-manager database */
427 check_app_after_install(sm_app_id, sm_pkg_id);
429 InstallRequest requestUninst;
430 requestUninst.setAppId(sm_app_id);
432 Api::uninstall(requestUninst);
435 /* Check records in the security-manager database */
436 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
440 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
442 const char * const sm_app_id = "SM_TEST_01c_APPID";
443 const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
444 const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
446 InstallRequest requestInst;
447 requestInst.setAppId(sm_app_id);
448 requestInst.setPkgId(sm_pkg_id);
450 Api::install(requestInst);
452 /* Check records in the security-manager database */
453 check_app_after_install(sm_app_id, sm_pkg_id);
455 InstallRequest requestUninst;
456 requestUninst.setAppId(sm_app_id);
457 requestUninst.setPkgId(sm_pkg_id_wrong);
459 Api::uninstall(requestUninst);
461 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
465 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
467 const char *const sm_app_id = "sm_test_02_app_id_full";
468 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
472 InstallRequest requestInst;
473 requestInst.setAppId(sm_app_id);
474 requestInst.setPkgId(sm_pkg_id);
475 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
476 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
477 requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
478 requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
480 Api::install(requestInst);
482 /* Check records in the security-manager database */
483 check_app_after_install(sm_app_id, sm_pkg_id,
484 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
486 /* TODO: add parameters to this function */
487 check_app_path_after_install();
489 InstallRequest requestUninst;
490 requestUninst.setAppId(sm_app_id);
492 Api::uninstall(requestUninst);
494 /* Check records in the security-manager database,
495 * all previously allowed privileges should be removed */
496 check_app_after_uninstall(sm_app_id, sm_pkg_id,
497 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
500 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
502 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
503 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
504 const char *const expected_label = USER_APP_ID;
505 const char *const socketLabel = "not_expected_label";
506 char *label = nullptr;
510 uninstall_app(app_id, pkg_id, true);
511 install_app(app_id, pkg_id);
513 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
514 //Clean up before creating socket
516 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
517 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
518 SockUniquePtr sockPtr(&sock);
519 //Bind socket to address
520 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
521 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
522 //Set socket label to something different than expecedLabel
523 result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
524 strlen(socketLabel), 0);
525 RUNNER_ASSERT_ERRNO_MSG(result == 0,
526 "Can't set socket label. Result: " << result);
527 result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
528 strlen(socketLabel), 0);
529 RUNNER_ASSERT_ERRNO_MSG(result == 0,
530 "Can't set socket label. Result: " << result);
532 Api::setProcessLabel(app_id);
534 char value[SMACK_LABEL_LEN + 1];
536 size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
537 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
538 result = strcmp(expected_label, value);
539 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
540 expected_label << " Actual: " << value);
542 size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
543 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
544 result = strcmp(expected_label, value);
545 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
546 expected_label << " Actual: " << value);
548 result = smack_new_label_from_self(&label);
549 RUNNER_ASSERT_MSG(result >= 0,
550 " Error getting current process label");
551 RUNNER_ASSERT_MSG(label != nullptr,
552 " Process label is not set");
553 labelPtr.reset(label);
555 result = strcmp(expected_label, label);
556 RUNNER_ASSERT_MSG(result == 0,
557 " Process label is incorrect. Expected: \"" << expected_label <<
558 "\" Actual: \"" << label << "\"");
560 uninstall_app(app_id, pkg_id, true);
563 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
565 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
566 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
568 uninstall_app(app_id, pkg_id, true);
569 install_app(app_id, pkg_id);
571 Api::setProcessLabel(app_id);
573 uninstall_app(app_id, pkg_id, true);
576 static void prepare_request(InstallRequest &request,
577 const char *const app_id,
578 const char *const pkg_id,
579 app_install_path_type pathType,
580 const char *const path,
583 request.setAppId(app_id);
584 request.setPkgId(pkg_id);
585 request.addPath(path, pathType);
591 static uid_t getGlobalUserId(void)
593 return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
596 static const std::string appDirPath(const TemporaryTestUser &user)
598 struct tzplatform_context *tzCtxPtr = nullptr;
600 RUNNER_ASSERT(0 == tzplatform_context_create(&tzCtxPtr));
601 TzPlatformContextPtr tzCtxPtrSmart(tzCtxPtr);
603 RUNNER_ASSERT_MSG(0 == tzplatform_context_set_user(tzCtxPtr, user.getUid()),
604 "Unable to set user <" << user.getUserName() << "> for tzplatform context");
606 const char *appDir = tzplatform_context_getenv(tzCtxPtr,
607 getGlobalUserId() == user.getUid() ? TZ_SYS_RW_APP : TZ_USER_APP);
608 RUNNER_ASSERT_MSG(nullptr != appDir,
609 "tzplatform_context_getenv failed"
610 << "for getting sys rw app of user <" << user.getUserName() << ">");
615 static const std::string nonAppDirPath(const TemporaryTestUser &user)
617 return TMP_DIR + "/" + user.getUserName();
620 static const std::string uidToStr(const uid_t uid)
622 return std::to_string(static_cast<unsigned int>(uid));
625 static void install_and_check(const char *const sm_app_id,
626 const char *const sm_pkg_id,
627 const TemporaryTestUser& user,
628 const std::string &appDir,
631 InstallRequest requestPublic;
633 //install app for non-root user and try to register public path (should fail)
634 prepare_request(requestPublic, sm_app_id, sm_pkg_id,
635 SECURITY_MANAGER_PATH_PUBLIC, appDir.c_str(),
636 requestUid ? user.getUid() : 0);
638 Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
640 InstallRequest requestPrivate;
642 //install app for non-root user
643 //should fail (users may only register folders inside their home)
644 prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
645 SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
646 requestUid ? user.getUid() : 0);
648 Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
650 InstallRequest requestPrivateUser;
652 //install app for non-root user
653 //should succeed - this time i register folder inside user's home dir
654 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
655 SECURITY_MANAGER_PATH_RW, appDir.c_str(),
656 requestUid ? user.getUid() : 0);
658 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
659 requestPrivateUser.addPrivilege(privilege.c_str());
661 Api::install(requestPrivateUser);
663 check_app_permissions(sm_app_id, sm_pkg_id,
664 uidToStr(user.getUid()).c_str(),
665 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
668 static void createTestDir(const std::string &dir)
670 mode_t dirMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
671 mode_t execFileMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
672 mode_t normalFileMode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
674 mkdirSafe(dir, dirMode);
675 creatSafe(dir + "/" + EXEC_FILE, execFileMode);
676 creatSafe(dir + "/" + NORMAL_FILE, normalFileMode);
677 symlinkSafe(dir + "/" + EXEC_FILE, dir + "/" + LINK_PREFIX + EXEC_FILE);
678 symlinkSafe(dir + "/" + NORMAL_FILE, dir + "/" + LINK_PREFIX + NORMAL_FILE);
681 static void createInnerAppDir(const std::string &dir, const std::string &nonAppDir)
685 symlinkSafe(nonAppDir, dir + "/" + LINK_PREFIX + "non_app_dir");
686 symlinkSafe(nonAppDir + "/" + EXEC_FILE,
687 dir + "/" + LINK_PREFIX + "non_app_" + EXEC_FILE);
688 symlinkSafe(nonAppDir + "/" + NORMAL_FILE,
689 dir + "/" + LINK_PREFIX + "non_app_" + NORMAL_FILE);
692 static void generateAppDir(const TemporaryTestUser &user)
694 const std::string dir = appDirPath(user);
695 const std::string nonAppDir = nonAppDirPath(user);
697 createInnerAppDir(dir, nonAppDir);
698 createInnerAppDir(dir + "/.inner_dir", nonAppDir);
699 createInnerAppDir(dir + "/inner_dir", nonAppDir);
702 static void generateNonAppDir(const TemporaryTestUser &user)
704 const std::string dir = nonAppDirPath(user);
707 createTestDir(dir + "/.inner_dir");
708 createTestDir(dir + "/inner_dir");
711 static void createTestDirs(const TemporaryTestUser &user)
713 generateAppDir(user);
714 generateNonAppDir(user);
717 static void removeTestDirs(const TemporaryTestUser &user)
719 removeDir(appDirPath(user));
720 removeDir(nonAppDirPath(user));
723 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
726 const char *const sm_app_id = "sm_test_04a_app_id_uid";
727 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
728 const std::string new_user_name = "sm_test_04a_user_name";
730 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
733 removeTestDirs(testUser);
734 createTestDirs(testUser);
736 const std::string userAppDirPath = appDirPath(testUser);
738 //switch user to non-root
739 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
740 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
742 install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
744 //uninstall app as non-root user
745 InstallRequest request;
746 request.setAppId(sm_app_id);
748 Api::uninstall(request);
750 check_app_permissions(sm_app_id, sm_pkg_id,
751 uidToStr(testUser.getUid()).c_str(),
752 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
755 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
758 const char *const sm_app_id = "sm_test_04b_app_id_uid";
759 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
760 const std::string new_user_name = "sm_test_04b_user_name";
762 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
765 removeTestDirs(testUser);
766 createTestDirs(testUser);
768 install_and_check(sm_app_id, sm_pkg_id, testUser, appDirPath(testUser), true);
770 //switch user to non-root - root may not uninstall apps for specified users
771 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
772 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
774 //uninstall app as non-root user
775 InstallRequest request;
776 request.setAppId(sm_app_id);
778 Api::uninstall(request);
780 check_app_permissions(sm_app_id, sm_pkg_id,
781 uidToStr(testUser.getUid()).c_str(),
782 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
786 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
789 CapsSetsUniquePtr caps, caps_empty(cap_init());
791 caps.reset(cap_from_text("all=eip"));
792 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
793 result = cap_set_proc(caps.get());
794 RUNNER_ASSERT_MSG(result == 0,
795 "can't set capabilities. Result: " << result);
797 Api::dropProcessPrivileges();
799 caps.reset(cap_get_proc());
800 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
802 result = cap_compare(caps.get(), caps_empty.get());
803 RUNNER_ASSERT_MSG(result == 0,
804 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
807 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
809 const char *const app_id = "sm_test_06_app_id_install_app_offline";
810 const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
811 ServiceManager serviceManager("security-manager.service");
813 uninstall_app(app_id, pkg_id, true);
814 serviceManager.maskService();
815 serviceManager.stopService();
817 install_app(app_id, pkg_id);
819 serviceManager.unmaskService();
820 serviceManager.startService();
822 uninstall_app(app_id, pkg_id, true);
825 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
827 const char *const sm_app_id = "sm_test_07_app_id_user";
828 const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
829 const std::string new_user_name = "sm_test_07_user_name";
830 std::string uid_string;
831 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
833 test_user.getUidString(uid_string);
835 removeTestDirs(test_user);
836 createTestDirs(test_user);
838 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
840 check_app_after_install(sm_app_id, sm_pkg_id);
844 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
846 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
849 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
851 UserRequest addUserRequest;
853 const char *const sm_app_id = "sm_test_08_app_id_user";
854 const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
855 const std::string new_user_name = "sm_test_08_user_name";
856 std::string uid_string;
859 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
861 test_user.getUidString(uid_string);
863 removeTestDirs(test_user);
864 createTestDirs(test_user);
866 addUserRequest.setUid(test_user.getUid());
867 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
870 Api::addUser(addUserRequest);
872 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
874 check_app_after_install(sm_app_id, sm_pkg_id);
878 UserRequest deleteUserRequest;
879 deleteUserRequest.setUid(test_user.getUid());
881 Api::deleteUser(deleteUserRequest);
883 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
885 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
888 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
890 const char *const app_id = "security_manager_09_add_user_offline_app";
891 const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
892 const std::string new_user_name("sm_test_09_user_name");
893 ServiceManager serviceManager("security-manager.service");
894 serviceManager.maskService();
895 serviceManager.stopService();
897 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
900 removeTestDirs(test_user);
901 createTestDirs(test_user);
903 install_app(app_id, pkg_id, test_user.getUid());
905 check_app_after_install(app_id, pkg_id);
907 serviceManager.unmaskService();
908 serviceManager.startService();
912 check_app_after_uninstall(app_id, pkg_id, true);
915 RUNNER_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
918 const std::string username("sm_test_10_user_name");
919 unsigned int privileges_count = 0;
921 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
922 std::map<std::string, std::set<std::string>> apps2PrivsMap;
924 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
925 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
926 MANY_APPS.at(i), std::set<std::string>(
927 MANY_APPS_PRIVILEGES.at(i).begin(),
928 MANY_APPS_PRIVILEGES.at(i).end())));
929 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
932 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
933 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
935 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
940 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
942 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
945 if (pid != 0) { //parent process
946 TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
949 for(const auto &user : users2AppsMap) {
951 for(const auto &app : user.second) {
952 InstallRequest requestInst;
953 requestInst.setAppId(app.first.c_str());
955 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
956 } catch (const std::out_of_range &e) {
957 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
959 requestInst.setUid(tmpUser.getUid());
961 for (const auto &privilege : app.second) {
962 requestInst.addPrivilege(privilege.c_str());
965 Api::install(requestInst);
968 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
970 //Start child process
972 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
980 if (pid == 0) { //child process
982 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
983 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
985 struct passwd *pw = getUserStruct(username);
986 register_current_process_as_privilege_manager(pw->pw_uid);
987 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
988 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
990 std::vector<PolicyEntry> policyEntries;
992 Api::getPolicy(filter, policyEntries);
994 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
995 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
997 for (const auto &policyEntry : policyEntries) {
998 std::string user = policyEntry.getUser();
999 std::string app = policyEntry.getAppId();
1000 std::string privilege = policyEntry.getPrivilege();
1003 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1004 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1005 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1006 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1007 } catch (const std::out_of_range &e) {
1008 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1009 } catch (const std::invalid_argument& e) {
1010 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1017 RUNNER_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
1020 const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
1021 unsigned int privileges_count = 0;
1023 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1024 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1026 for (const auto &username : usernames) {
1027 //Only entries for one of the users will be listed
1028 privileges_count = 0;
1030 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1031 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1032 MANY_APPS.at(i), std::set<std::string>(
1033 MANY_APPS_PRIVILEGES.at(i).begin(),
1034 MANY_APPS_PRIVILEGES.at(i).end())));
1035 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1038 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1041 users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
1042 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1049 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1051 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1054 if (pid != 0) { //parent process
1055 std::vector<TemporaryTestUser> users = {
1056 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1057 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1060 users.at(0).create();
1061 users.at(1).create();
1063 //Install apps for both users
1064 for(const auto &user : users) {
1065 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1066 InstallRequest requestInst;
1067 requestInst.setAppId(app.first.c_str());
1069 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1070 } catch (const std::out_of_range &e) {
1071 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1073 requestInst.setUid(user.getUid());
1075 for (const auto &privilege : app.second) {
1076 requestInst.addPrivilege(privilege.c_str());
1079 Api::install(requestInst);
1082 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1086 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1091 for(auto &user : users) {
1098 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
1099 struct passwd *pw = getUserStruct(usernames.at(0));
1100 register_current_process_as_privilege_manager(pw->pw_uid);
1102 //change uid to normal user
1104 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1105 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1107 std::vector<PolicyEntry> policyEntries;
1110 //this call should only return privileges belonging to the current uid
1111 Api::getPolicy(filter, policyEntries);
1113 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1114 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1116 for (const auto &policyEntry : policyEntries) {
1117 std::string user = policyEntry.getUser();
1118 std::string app = policyEntry.getAppId();
1119 std::string privilege = policyEntry.getPrivilege();
1122 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1123 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1124 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1125 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1126 } catch (const std::out_of_range &e) {
1127 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1128 } catch (const std::invalid_argument& e) {
1129 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1136 RUNNER_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
1139 const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
1140 unsigned int privileges_count = 0;
1142 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1143 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1145 for (const auto &username : usernames) {
1147 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1148 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1149 MANY_APPS.at(i), std::set<std::string>(
1150 MANY_APPS_PRIVILEGES.at(i).begin(),
1151 MANY_APPS_PRIVILEGES.at(i).end())));
1152 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1155 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1158 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1159 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
1161 privileges_count += 2;
1166 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1168 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1171 if (pid != 0) { //parent process
1172 std::vector<TemporaryTestUser> users = {
1173 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1174 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1177 users.at(0).create();
1178 users.at(1).create();
1179 //Install apps for both users
1180 for(const auto &user : users) {
1181 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1182 InstallRequest requestInst;
1183 requestInst.setAppId(app.first.c_str());
1185 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1186 } catch (const std::out_of_range &e) {
1187 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1189 requestInst.setUid(user.getUid());
1191 for (const auto &privilege : app.second) {
1192 requestInst.addPrivilege(privilege.c_str());
1195 Api::install(requestInst);
1198 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1203 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1205 //Wait for child to finish
1209 for(auto &user : users) {
1214 if (pid == 0) { //child process
1216 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
1218 struct passwd *pw = getUserStruct(usernames.at(1));
1219 register_current_process_as_privilege_manager(pw->pw_uid, true);
1221 //change uid to normal user
1222 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1223 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1225 std::vector<PolicyEntry> policyEntries;
1227 //this call should succeed as the calling user is privileged
1228 Api::getPolicy(filter, policyEntries);
1230 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1231 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1233 for (const auto &policyEntry : policyEntries) {
1234 std::string user = policyEntry.getUser();
1235 std::string app = policyEntry.getAppId();
1236 std::string privilege = policyEntry.getPrivilege();
1239 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1240 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1241 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1242 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1243 } catch (const std::out_of_range &e) {
1244 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1245 } catch (const std::invalid_argument& e) {
1246 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1254 RUNNER_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
1257 const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
1259 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1260 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1262 for (const auto &username : usernames) {
1264 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1265 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1266 MANY_APPS.at(i), std::set<std::string>(
1267 MANY_APPS_PRIVILEGES.at(i).begin(),
1268 MANY_APPS_PRIVILEGES.at(i).end())));
1271 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1274 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1275 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1282 RUNNER_ASSERT_MSG(((mutex[0] = sem_open("mutex_1", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #1, errno: " << errno);
1284 RUNNER_ASSERT_MSG(((mutex[1] = sem_open("mutex_2", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #2, errno: " << errno);
1286 RUNNER_ASSERT_MSG(sem_init(mutex[0], 1, 0) == 0, "failed to setup mutex #1, errno: " << errno);
1288 RUNNER_ASSERT_MSG(sem_init(mutex[1], 1, 0) == 0, "failed to setup mutex #2, errno: " << errno);
1289 std::vector<PolicyEntry> policyEntries;
1293 if(pid[0] == 0) { //child #1 process
1294 RUNNER_ASSERT_MSG(sem_wait(mutex[0]) == 0, "sem_wait in child #1 failed, errno: " << errno);
1295 struct passwd *pw = getUserStruct(usernames.at(0));
1296 register_current_process_as_privilege_manager(pw->pw_uid);
1298 //change uid to normal user
1299 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1300 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1303 PolicyRequest policyRequest;
1304 //this call should succeed as the calling user is privileged
1305 Api::getPolicyForSelf(filter, policyEntries);
1307 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1309 PolicyEntry policyEntry(
1311 std::to_string(pw->pw_uid),
1312 "http://tizen.org/privilege/internet"
1314 policyEntry.setLevel("Deny");
1316 policyRequest.addEntry(policyEntry);
1317 policyEntry = PolicyEntry(
1319 std::to_string(pw->pw_uid),
1320 "http://tizen.org/privilege/location"
1322 policyEntry.setLevel("Deny");
1324 policyRequest.addEntry(policyEntry);
1325 Api::sendPolicy(policyRequest);
1326 Api::getPolicyForSelf(filter, policyEntries);
1328 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1332 if (pid[0] != 0) {//parent process
1335 if (pid[1] == 0) { //child #2 process
1337 RUNNER_ASSERT_MSG(sem_wait(mutex[1]) == 0, "sem_wait in child #2 failed, errno: " << errno);
1338 struct passwd *pw_target = getUserStruct(usernames.at(0));
1339 struct passwd *pw = getUserStruct(usernames.at(1));
1340 register_current_process_as_privilege_manager(pw->pw_uid);
1342 //change uid to normal user
1343 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1344 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1346 PolicyEntry filter = PolicyEntry(
1347 SECURITY_MANAGER_ANY,
1348 std::to_string(pw_target->pw_uid),
1349 SECURITY_MANAGER_ANY
1352 //U2 requests contents of U1 privacy manager - should fail
1353 Api::getPolicyForSelf(filter, policyEntries);
1354 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1356 filter = PolicyEntry(
1357 SECURITY_MANAGER_ANY,
1358 SECURITY_MANAGER_ANY,
1359 SECURITY_MANAGER_ANY
1362 policyEntries.clear();
1364 //U2 requests contents of ADMIN bucket - should fail
1365 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
1366 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1370 if (pid[1] != 0) { //parent
1372 std::vector<TemporaryTestUser> users = {
1373 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1374 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1377 users.at(0).create();
1378 users.at(1).create();
1380 //Install apps for both users
1381 for(const auto &user : users2AppsMap) {
1383 for(const auto &app : user.second) {
1384 InstallRequest requestInst;
1385 requestInst.setAppId(app.first.c_str());
1387 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1388 } catch (const std::out_of_range &e) {
1389 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1391 requestInst.setUid(users.at(0).getUid());
1393 for (const auto &privilege : app.second) {
1394 requestInst.addPrivilege(privilege.c_str());
1397 Api::install(requestInst);
1400 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1406 RUNNER_ASSERT_MSG(sem_post(mutex[0]) == 0, "Error while opening mutex #1, errno: " << errno);
1408 //Wait until child #1 finishes
1409 pid_t ret = wait(&status);
1410 RUNNER_ASSERT_MSG((ret != -1) && WIFEXITED(status), "Updating privileges failed");
1414 RUNNER_ASSERT_MSG(sem_post(mutex[1]) == 0, "Error while opening mutex #2, errno: " << errno);
1415 //Wait until child #2 finishes
1416 ret = wait(&status);
1417 RUNNER_ASSERT_MSG((ret =-1) && WIFEXITED(status), "Listing privileges failed");
1419 for(auto &user : users) {
1423 sem_close(mutex[0]);
1424 sem_close(mutex[1]);
1429 RUNNER_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
1432 const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
1433 unsigned int privileges_count = 0;
1435 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1436 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1438 for (const auto &username : usernames) {
1440 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1441 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1442 MANY_APPS.at(i), std::set<std::string>(
1443 MANY_APPS_PRIVILEGES.at(i).begin(),
1444 MANY_APPS_PRIVILEGES.at(i).end())));
1445 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1448 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1451 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1452 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1454 privileges_count += 2;
1458 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1460 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1464 std::vector<TemporaryTestUser> users = {
1465 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1466 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1469 users.at(0).create();
1470 users.at(1).create();
1472 //Install apps for both users
1473 for(const auto &user : users) {
1475 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1476 InstallRequest requestInst;
1477 requestInst.setAppId(app.first.c_str());
1479 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1480 } catch (const std::out_of_range &e) {
1481 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1483 requestInst.setUid(user.getUid());
1485 for (const auto &privilege : app.second) {
1486 requestInst.addPrivilege(privilege.c_str());
1489 Api::install(requestInst);
1492 //Start child process
1494 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1496 //Wait for child process to finish
1499 //switch back to root
1500 for(auto &user : users) {
1507 if (pid == 0) { //child process
1509 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
1511 struct passwd *pw = getUserStruct(usernames.at(0));
1512 register_current_process_as_privilege_manager(pw->pw_uid, true);
1514 //change uid to normal user
1515 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1516 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1518 PolicyRequest *policyRequest = new PolicyRequest();
1520 std::vector<PolicyEntry> policyEntries;
1521 //this call should succeed as the calling user is privileged
1522 Api::getPolicyForSelf(filter, policyEntries);
1524 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1526 PolicyEntry policyEntry(
1527 SECURITY_MANAGER_ANY,
1528 SECURITY_MANAGER_ANY,
1529 "http://tizen.org/privilege/internet"
1531 policyEntry.setMaxLevel("Deny");
1533 policyRequest->addEntry(policyEntry);
1534 policyEntry = PolicyEntry(
1535 SECURITY_MANAGER_ANY,
1536 SECURITY_MANAGER_ANY,
1537 "http://tizen.org/privilege/location"
1539 policyEntry.setMaxLevel("Deny");
1541 policyRequest->addEntry(policyEntry);
1542 Api::sendPolicy(*policyRequest);
1543 Api::getPolicyForAdmin(filter, policyEntries);
1545 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1547 delete policyRequest;
1548 policyRequest = new PolicyRequest();
1549 policyEntry = PolicyEntry(
1550 SECURITY_MANAGER_ANY,
1551 SECURITY_MANAGER_ANY,
1552 "http://tizen.org/privilege/internet"
1554 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
1555 policyRequest->addEntry(policyEntry);
1557 policyEntry = PolicyEntry(
1558 SECURITY_MANAGER_ANY,
1559 SECURITY_MANAGER_ANY,
1560 "http://tizen.org/privilege/location"
1562 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
1564 policyRequest->addEntry(policyEntry);
1565 Api::sendPolicy(*policyRequest);
1567 policyEntries.clear();
1568 Api::getPolicyForAdmin(filter, policyEntries);
1569 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
1571 delete policyRequest;
1578 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
1580 const char *const update_app_id = "security_manager_15_update_app_id";
1581 const char *const update_privilege = "http://tizen.org/privilege/led";
1582 const char *const check_start_bucket = "ADMIN";
1583 const std::string username("sm_test_15_username");
1584 PolicyRequest addPolicyRequest;
1585 CynaraTestAdmin::Admin admin;
1587 std::string smackLabel;
1588 generateAppLabel(update_app_id, smackLabel);
1599 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1601 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
1605 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1606 if (pid != 0)//parent process
1608 FdUniquePtr pipeptr(pipefd+1);
1611 register_current_process_as_privilege_manager(user.getUid(), true);
1613 //send info to child
1614 msg.uid = user.getUid();
1615 msg.gid = user.getGid();
1617 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1618 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1621 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1623 admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
1624 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1628 FdUniquePtr pipeptr(pipefd);
1631 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1632 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1634 //become admin privacy manager manager
1635 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1636 result = drop_root_privileges(msg.uid, msg.gid);
1637 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1639 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1640 entry.setMaxLevel("Allow");
1642 addPolicyRequest.addEntry(entry);
1643 Api::sendPolicy(addPolicyRequest);
1648 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
1650 const char *const update_other_app_id = "security_manager_15_update_other_app_id";
1651 const char *const update_privilege = "http://tizen.org/privilege/led";
1652 const char *const check_start_bucket = "ADMIN";
1653 const std::string username("sm_test_15_username");
1654 PolicyRequest addPolicyRequest;
1655 CynaraTestAdmin::Admin admin;
1657 std::string smackLabel;
1658 generateAppLabel(update_other_app_id, smackLabel);
1669 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1671 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
1675 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1676 if (pid != 0)//parent process
1678 FdUniquePtr pipeptr(pipefd+1);
1681 register_current_process_as_privilege_manager(user.getUid(), true);
1683 //send info to child
1684 msg.uid = user.getUid();
1685 msg.gid = user.getGid();
1687 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1688 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1691 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1693 admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
1694 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1698 FdUniquePtr pipeptr(pipefd);
1701 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1702 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1704 //become admin privacy manager manager
1705 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1706 result = drop_root_privileges(msg.uid, msg.gid);
1707 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1709 // use wildcard as appId
1710 PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1711 entry.setMaxLevel("Allow");
1713 addPolicyRequest.addEntry(entry);
1714 Api::sendPolicy(addPolicyRequest);
1719 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
1721 const char *const update_app_id = "security_manager_15_update_app_id";
1722 const char *const update_privilege = "http://tizen.org/privilege/led";
1723 const char *const check_start_bucket = "";
1724 const std::string username("sm_test_15_username");
1725 PolicyRequest addPolicyRequest;
1726 CynaraTestAdmin::Admin admin;
1728 std::string smackLabel;
1729 generateAppLabel(update_app_id, smackLabel);
1740 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1742 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1746 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1747 if (pid != 0)//parent process
1749 FdUniquePtr pipeptr(pipefd+1);
1752 register_current_process_as_privilege_manager(user.getUid(), false);
1754 //send info to child
1755 msg.uid = user.getUid();
1756 msg.gid = user.getGid();
1758 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1759 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1762 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1764 admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
1765 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1769 FdUniquePtr pipeptr(pipefd);
1772 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1773 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1775 //become admin privacy manager manager
1776 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1777 result = drop_root_privileges(msg.uid, msg.gid);
1778 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1780 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1781 entry.setLevel("Allow");
1783 addPolicyRequest.addEntry(entry);
1784 Api::sendPolicy(addPolicyRequest);
1789 RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get)
1791 const std::string username("sm_test_16_user_cynara_policy");
1792 CynaraTestAdmin::Admin admin;
1802 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1804 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1808 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1809 if (pid != 0)//parent process
1811 FdUniquePtr pipeptr(pipefd+1);
1814 //send info to child
1815 msg.uid = user.getUid();
1816 msg.gid = user.getGid();
1818 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1819 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1822 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1828 std::string allow_policy, deny_policy;
1830 FdUniquePtr pipeptr(pipefd);
1833 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1834 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1836 //become admin privacy manager manager
1837 result = drop_root_privileges(msg.uid, msg.gid);
1838 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1840 // without plugins there should only be 2 policies - Allow and Deny
1841 ret = security_manager_policy_levels_get(&levels, &count);
1843 RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
1844 "Invlid return code: " << ret);
1846 RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast<int>(count));
1848 deny_policy = std::string(levels[0]);
1849 allow_policy = std::string(levels[count-1]);
1851 // first should always be Deny
1852 RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
1853 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
1855 // last should always be Allow
1856 RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
1857 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
1859 security_manager_policy_levels_free(levels, count);
1864 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
1866 const char *const update_app_id = "security_manager_17_update_app_id";
1867 const char *const update_privilege = "http://tizen.org/privilege/led";
1868 const char *const check_start_bucket = "";
1869 const std::string username("sm_test_17_username");
1870 PolicyRequest addPolicyRequest;
1871 CynaraTestAdmin::Admin admin;
1873 std::string smackLabel;
1874 generateAppLabel(update_app_id, smackLabel);
1886 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1887 RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
1889 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1893 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1894 if (pid != 0)//parent process
1896 FdUniquePtr pipeptr(pipefd+1);
1899 register_current_process_as_privilege_manager(user.getUid(), false);
1901 //send info to child
1902 msg.uid = user.getUid();
1903 msg.gid = user.getGid();
1905 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1906 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1909 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1911 admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
1912 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1915 if (pid != 0)//parent process
1917 FdUniquePtr pipeptr(pipefd2+1);
1920 //send info to child
1921 msg.uid = user.getUid();
1922 msg.gid = user.getGid();
1924 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
1925 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1928 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1931 waitpid(-1, &result, 0);
1933 admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
1934 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
1938 FdUniquePtr pipeptr(pipefd2);
1941 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
1942 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1944 //become admin privacy manager manager
1945 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1946 result = drop_root_privileges(msg.uid, msg.gid);
1947 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1949 // delete this entry
1950 PolicyRequest deletePolicyRequest;
1951 PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1952 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
1954 deletePolicyRequest.addEntry(deleteEntry);
1955 Api::sendPolicy(deletePolicyRequest);
1961 FdUniquePtr pipeptr(pipefd);
1964 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1965 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1967 //become admin privacy manager manager
1968 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1969 result = drop_root_privileges(msg.uid, msg.gid);
1970 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1972 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1973 entry.setLevel("Allow");
1975 addPolicyRequest.addEntry(entry);
1976 Api::sendPolicy(addPolicyRequest);
1981 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
1983 const std::string username("sm_test_17_user_name");
1988 unsigned int privileges_count;
1995 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1998 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1999 if (pid != 0)//parent process
2001 FdUniquePtr pipeptr(pipefd+1);
2004 TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
2007 unsigned int privileges_count = 0;
2009 register_current_process_as_privilege_manager(user.getUid(), false);
2010 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
2013 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
2014 InstallRequest requestInst;
2015 requestInst.setAppId(MANY_APPS[i].c_str());
2016 requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str());
2017 requestInst.setUid(user.getUid());
2019 for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) {
2020 requestInst.addPrivilege(priv.c_str());
2023 Api::install(requestInst);
2024 privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
2027 //send info to child
2028 msg.uid = user.getUid();
2029 msg.gid = user.getGid();
2030 msg.privileges_count = privileges_count;
2032 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
2033 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
2036 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
2040 FdUniquePtr pipeptr(pipefd);
2043 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
2044 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
2046 //become admin privacy manager manager
2047 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
2048 result = drop_root_privileges(msg.uid, msg.gid);
2049 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
2051 // filter by privilege
2052 std::vector<PolicyEntry> policyEntries;
2053 PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
2054 Api::getPolicy(filter, policyEntries);
2056 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2057 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
2059 // filter by other privilege
2060 policyEntries.clear();
2061 PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
2062 Api::getPolicy(filter2, policyEntries);
2064 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2065 RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
2068 policyEntries.clear();
2069 PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
2070 Api::getPolicy(filter3, policyEntries);
2072 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2073 RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
2077 RUNNER_CHILD_TEST(security_manager_10_user_cynara_policy)
2079 const char *const MAIN_BUCKET = "MAIN";
2080 const char *const MANIFESTS_BUCKET = "MANIFESTS";
2081 const char *const ADMIN_BUCKET = "ADMIN";
2082 const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
2083 const std::string username("sm_test_10_user_cynara_policy");
2084 CynaraTestAdmin::Admin admin;
2085 std::string uid_string;
2086 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2088 user.getUidString(uid_string);
2090 CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
2091 nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
2092 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
2095 CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
2097 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2098 admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2099 admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2100 admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2103 RUNNER_CHILD_TEST(security_manager_11_security_manager_cmd_install)
2106 const int SUCCESS = 0;
2107 const int FAILURE = 256;
2108 const std::string app_id = "security_manager_10_app";
2109 const std::string pkg_id = "security_manager_10_pkg";
2110 const std::string username("sm_test_10_user_name");
2111 std::string uid_string;
2112 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2114 user.getUidString(uid_string);
2115 const std::string path1 = "/home/" + username + "/p1";
2116 const std::string path2 = "/home/" + username + "/p2";
2117 const std::string pkgopt = " --pkg=" + pkg_id;
2118 const std::string appopt = " --app=" + app_id;
2119 const std::string uidopt = " --uid=" + uid_string;
2121 mkdir(path1.c_str(), 0);
2122 mkdir(path2.c_str(), 0);
2124 const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
2127 std::string command;
2128 int expected_result;
2130 std::vector<struct operation> operations = {
2131 {"security-manager-cmd", FAILURE},//no option
2132 {"security-manager-cmd --blah", FAILURE},//blah option is not known
2133 {"security-manager-cmd --help", SUCCESS},
2134 {"security-manager-cmd --install", FAILURE},//no params
2135 {"security-manager-cmd -i", FAILURE},//no params
2136 {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
2137 {installcmd, SUCCESS},
2138 {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
2139 {installcmd + " --path " + path1 + " private", SUCCESS},
2140 {installcmd + " --path " + path1, FAILURE},//no path type
2141 {installcmd + " --path " + path1 + " private" + " --path " + path2 + " private", SUCCESS},
2142 {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " public", FAILURE},//wrong path type
2143 {installcmd + " --path " + path1 + " private" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
2146 for (auto &op : operations) {
2147 ret = system(op.command.c_str());
2148 RUNNER_ASSERT_MSG(ret == op.expected_result,
2149 "Unexpected result for command '" << op.command <<"': "
2150 << ret << " Expected was: "<< op.expected_result);
2154 RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users)
2157 const int SUCCESS = 0;
2158 const int FAILURE = 256;
2159 const std::string username("sm_test_11_user_name");
2160 std::string uid_string;
2161 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2163 user.getUidString(uid_string);
2164 const std::string uidopt = " --uid=" + uid_string;
2167 std::string command;
2168 int expected_result;
2170 std::vector<struct operation> operations = {
2171 {"security-manager-cmd --manage-users=remove", FAILURE},//no params
2172 {"security-manager-cmd -m", FAILURE},//no params
2173 {"security-manager-cmd -mr", FAILURE},//no uid
2174 {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
2175 {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
2176 {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
2177 {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
2178 {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
2179 {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
2180 {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
2181 {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
2184 for (auto &op : operations) {
2185 ret = system(op.command.c_str());
2186 RUNNER_ASSERT_MSG(ret == op.expected_result,
2187 "Unexpected result for command '" << op.command <<"': "
2188 << ret << " Expected was: "<< op.expected_result);
2192 RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
2194 const int BUFFER_SIZE = 128;
2198 char buf[BUFFER_SIZE];
2201 privileges_t admin_required_privs = {
2202 "http://tizen.org/privilege/systemsettings.admin",
2203 "http://tizen.org/privilege/systemsettings"};
2204 privileges_t manifest_privs = {
2205 "http://tizen.org/privilege/internet",
2206 "http://tizen.org/privilege/camera"};
2207 privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
2208 privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
2210 const std::string pirivman_id = "sm_test_13_ADMIN_APP";
2211 const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
2212 const std::string app_id = "sm_test_13_SOME_APP";
2213 const std::string pkg_id = "sm_test_13_SOME_PKG";
2219 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
2221 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
2222 if (pid != 0)//parent process
2224 std::string childuidstr;
2225 TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
2226 TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
2228 InstallRequest request,request2;
2229 FdUniquePtr pipeptr(pipefd+1);
2234 child.getUidString(childuidstr);
2236 //install privacy manager for admin
2237 request.setAppId(pirivman_id.c_str());
2238 request.setPkgId(pirivman_pkg_id.c_str());
2239 request.setUid(admin.getUid());
2240 for (auto &priv: admin_required_privs)
2241 request.addPrivilege(priv.c_str());
2242 Api::install(request);
2244 //install app for child that has internet privilege
2245 request2.setAppId(app_id.c_str());
2246 request2.setPkgId(pkg_id.c_str());
2247 request2.setUid(child.getUid());
2248 for (auto &priv: manifest_privs)
2249 request2.addPrivilege(priv.c_str());
2250 Api::install(request2);
2252 check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
2253 manifest_privs, SM_NO_PRIVILEGES);
2255 //send info to child
2256 msg.uid = admin.getUid();
2257 msg.gid = admin.getGid();
2258 strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
2260 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
2261 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
2264 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
2266 check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
2267 real_privs_allow, real_privs_deny);
2269 if (pid == 0)//child
2271 FdUniquePtr pipeptr(pipefd);
2274 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
2275 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
2277 //become admin privacy manager manager
2278 Api::setProcessLabel(pirivman_id.c_str());
2279 result = drop_root_privileges(msg.uid, msg.gid);
2280 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
2281 PolicyRequest addPolicyReq;
2283 for (auto &denypriv:real_privs_deny) {
2284 /*this entry will deny some privileges for user whose uid (as c string)
2285 was sent in message's buf field.
2286 That user would be denying internet for child in this case*/
2287 PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
2288 entry.setMaxLevel("Deny");
2289 addPolicyReq.addEntry(entry);
2291 Api::sendPolicy(addPolicyReq);
2296 int main(int argc, char *argv[])
2298 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
projects / platform / core / test / security-tests.git / blob