+RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
+{
+ const char *const update_app_id = "security_manager_15_update_app_id";
+ const char *const update_privilege = "http://tizen.org/privilege/led";
+ const char *const check_start_bucket = "";
+ const std::string username("sm_test_15_username");
+ PolicyRequest addPolicyRequest;
+ CynaraTestAdmin::Admin admin;
+
+ std::string smackLabel;
+ generateAppLabel(update_app_id, smackLabel);
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ } msg;
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ register_current_process_as_privilege_manager(user.getUid(), false);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ //wait for child
+ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+ admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
+ }
+ if(pid == 0)
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ entry.setLevel("Allow");
+
+ addPolicyRequest.addEntry(entry);
+ Api::sendPolicy(addPolicyRequest);
+ exit(0);
+ }
+}
+
+RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get)
+{
+ const std::string username("sm_test_16_user_cynara_policy");
+ CynaraTestAdmin::Admin admin;
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ } msg;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ //wait for child
+ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ }
+ if(pid == 0)
+ {
+ int ret;
+ char** levels;
+ std::string allow_policy, deny_policy;
+ size_t count;
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ // without plugins there should only be 2 policies - Allow and Deny
+ ret = security_manager_policy_levels_get(&levels, &count);
+
+ RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
+ "Invlid return code: " << ret);
+
+ RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast<int>(count));
+
+ deny_policy = std::string(levels[0]);
+ allow_policy = std::string(levels[count-1]);
+
+ // first should always be Deny
+ RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
+ "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
+
+ // last should always be Allow
+ RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
+ "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
+
+ security_manager_policy_levels_free(levels, count);
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
+{
+ const char *const update_app_id = "security_manager_17_update_app_id";
+ const char *const update_privilege = "http://tizen.org/privilege/led";
+ const char *const check_start_bucket = "";
+ const std::string username("sm_test_17_username");
+ PolicyRequest addPolicyRequest;
+ CynaraTestAdmin::Admin admin;
+
+ std::string smackLabel;
+ generateAppLabel(update_app_id, smackLabel);
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ } msg;
+
+ int pipefd[2];
+ int pipefd2[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+ RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
+
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ register_current_process_as_privilege_manager(user.getUid(), false);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ //wait for child
+ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+ admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
+
+ pid = fork();
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd2+1);
+ close(pipefd2[0]);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ //wait for child
+ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+ //wait for child
+ waitpid(-1, &result, 0);
+
+ admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
+ }
+ if(pid == 0)
+ {
+ FdUniquePtr pipeptr(pipefd2);
+ close(pipefd2[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ // delete this entry
+ PolicyRequest deletePolicyRequest;
+ PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
+
+ deletePolicyRequest.addEntry(deleteEntry);
+ Api::sendPolicy(deletePolicyRequest);
+ exit(0);
+ }
+ }
+ if(pid == 0)
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ entry.setLevel("Allow");
+
+ addPolicyRequest.addEntry(entry);
+ Api::sendPolicy(addPolicyRequest);
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
+{
+ const std::string username("sm_test_17_user_name");
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ unsigned int privileges_count;
+ } msg;
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
+ user.create();
+
+ unsigned int privileges_count = 0;
+
+ register_current_process_as_privilege_manager(user.getUid(), false);
+ //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
+ ++privileges_count;
+
+ for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
+ InstallRequest requestInst;
+ requestInst.setAppId(MANY_APPS[i].c_str());
+ requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str());
+ requestInst.setUid(user.getUid());
+
+ for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) {
+ requestInst.addPrivilege(priv.c_str());
+ };
+
+ Api::install(requestInst);
+ privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
+ };
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+ msg.privileges_count = privileges_count;
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ //wait for child
+ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ }
+ if(pid == 0)
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ // filter by privilege
+ std::vector<PolicyEntry> policyEntries;
+ PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
+ Api::getPolicy(filter, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
+
+ // filter by other privilege
+ policyEntries.clear();
+ PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
+ Api::getPolicy(filter2, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
+
+ // filter by appId
+ policyEntries.clear();
+ PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
+ Api::getPolicy(filter3, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_10_user_cynara_policy)
+{
+ const char *const MAIN_BUCKET = "MAIN";
+ const char *const MANIFESTS_BUCKET = "MANIFESTS";
+ const char *const ADMIN_BUCKET = "ADMIN";
+ const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
+ const std::string username("sm_test_10_user_cynara_policy");
+ CynaraTestAdmin::Admin admin;
+ std::string uid_string;
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ user.create();
+ user.getUidString(uid_string);
+
+ CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
+ nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
+ admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
+
+ user.remove();
+ CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
+
+ admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+}
+
+RUNNER_CHILD_TEST(security_manager_11_security_manager_cmd_install)
+{
+ int ret;
+ const int SUCCESS = 0;
+ const int FAILURE = 256;
+ const std::string app_id = "security_manager_10_app";
+ const std::string pkg_id = "security_manager_10_pkg";
+ const std::string username("sm_test_10_user_name");
+ std::string uid_string;
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ user.create();
+ user.getUidString(uid_string);
+ const std::string path1 = "/home/" + username + "/p1";
+ const std::string path2 = "/home/" + username + "/p2";
+ const std::string pkgopt = " --pkg=" + pkg_id;
+ const std::string appopt = " --app=" + app_id;
+ const std::string uidopt = " --uid=" + uid_string;
+
+ mkdir(path1.c_str(), 0);
+ mkdir(path2.c_str(), 0);
+
+ const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
+
+ struct operation {
+ std::string command;
+ int expected_result;
+ };
+ std::vector<struct operation> operations = {
+ {"security-manager-cmd", FAILURE},//no option
+ {"security-manager-cmd --blah", FAILURE},//blah option is not known
+ {"security-manager-cmd --help", SUCCESS},
+ {"security-manager-cmd --install", FAILURE},//no params
+ {"security-manager-cmd -i", FAILURE},//no params
+ {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
+ {installcmd, SUCCESS},
+ {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
+ {installcmd + " --path " + path1 + " private", SUCCESS},
+ {installcmd + " --path " + path1, FAILURE},//no path type
+ {installcmd + " --path " + path1 + " private" + " --path " + path2 + " private", SUCCESS},
+ {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " public", FAILURE},//wrong path type
+ {installcmd + " --path " + path1 + " private" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
+ };
+
+ for (auto &op : operations) {
+ ret = system(op.command.c_str());
+ RUNNER_ASSERT_MSG(ret == op.expected_result,
+ "Unexpected result for command '" << op.command <<"': "
+ << ret << " Expected was: "<< op.expected_result);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users)
+{
+ int ret;
+ const int SUCCESS = 0;
+ const int FAILURE = 256;
+ const std::string username("sm_test_11_user_name");
+ std::string uid_string;
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ user.create();
+ user.getUidString(uid_string);
+ const std::string uidopt = " --uid=" + uid_string;
+
+ struct operation {
+ std::string command;
+ int expected_result;
+ };
+ std::vector<struct operation> operations = {
+ {"security-manager-cmd --manage-users=remove", FAILURE},//no params
+ {"security-manager-cmd -m", FAILURE},//no params
+ {"security-manager-cmd -mr", FAILURE},//no uid
+ {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
+ {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
+ {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
+ {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
+ {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
+ {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
+ {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
+ {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
+ };
+
+ for (auto &op : operations) {
+ ret = system(op.command.c_str());
+ RUNNER_ASSERT_MSG(ret == op.expected_result,
+ "Unexpected result for command '" << op.command <<"': "
+ << ret << " Expected was: "<< op.expected_result);
+ }
+}
+
+RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
+{
+ const int BUFFER_SIZE = 128;
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ char buf[BUFFER_SIZE];
+ } msg;
+
+ privileges_t admin_required_privs = {
+ "http://tizen.org/privilege/systemsettings.admin",
+ "http://tizen.org/privilege/systemsettings"};
+ privileges_t manifest_privs = {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/camera"};
+ privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
+ privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
+
+ const std::string pirivman_id = "sm_test_13_ADMIN_APP";
+ const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
+ const std::string app_id = "sm_test_13_SOME_APP";
+ const std::string pkg_id = "sm_test_13_SOME_PKG";
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ std::string childuidstr;
+ TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
+ TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
+
+ InstallRequest request,request2;
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ admin.create();
+ child.create();
+ child.getUidString(childuidstr);
+
+ //install privacy manager for admin
+ request.setAppId(pirivman_id.c_str());
+ request.setPkgId(pirivman_pkg_id.c_str());
+ request.setUid(admin.getUid());
+ for (auto &priv: admin_required_privs)
+ request.addPrivilege(priv.c_str());
+ Api::install(request);
+
+ //install app for child that has internet privilege
+ request2.setAppId(app_id.c_str());
+ request2.setPkgId(pkg_id.c_str());
+ request2.setUid(child.getUid());
+ for (auto &priv: manifest_privs)
+ request2.addPrivilege(priv.c_str());
+ Api::install(request2);
+
+ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+ manifest_privs, SM_NO_PRIVILEGES);
+
+ //send info to child
+ msg.uid = admin.getUid();
+ msg.gid = admin.getGid();
+ strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ //wait for child
+ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+ real_privs_allow, real_privs_deny);
+ }
+ if (pid == 0)//child
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(pirivman_id.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ PolicyRequest addPolicyReq;
+ //change rights
+ for (auto &denypriv:real_privs_deny) {
+ /*this entry will deny some privileges for user whose uid (as c string)
+ was sent in message's buf field.
+ That user would be denying internet for child in this case*/
+ PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
+ entry.setMaxLevel("Deny");
+ addPolicyReq.addEntry(entry);
+ }
+ Api::sendPolicy(addPolicyReq);
+ exit(0);
+ }
+}