#include <fcntl.h>
#include <stdio.h>
#include <memory.h>
-#include <semaphore.h>
#include <unistd.h>
#include <attr/xattr.h>
#include <sys/types.h>
#include <sys/un.h>
#include <sys/wait.h>
+#include <sys/smack.h>
#include <algorithm>
#include <fstream>
+#include <regex>
#include <string>
#include <unordered_set>
+#include <ftw.h>
#include <grp.h>
#include <pwd.h>
#include <tzplatform_config.h>
#include <security-manager.h>
+#include <access_provider.h>
#include <dpl/log/log.h>
#include <dpl/test/test_runner.h>
-#include <libprivilege-control_test_common.h>
+#include <passwd_access.h>
#include <tests_common.h>
#include <sm_api.h>
#include <sm_db.h>
#include <sm_request.h>
+#include <sm_sharing_request.h>
#include <sm_user_request.h>
+#include <app_install_helper.h>
+#include <synchronization_pipe.h>
#include <temp_test_user.h>
+#include <uds.h>
#include <cynara_test_client.h>
#include <cynara_test_admin.h>
#include <service_manager.h>
#include <cynara_test_admin.h>
+#include "memory.h"
using namespace SecurityManagerTest;
DEFINE_SMARTPTR(tzplatform_context_destroy, tzplatform_context, TzPlatformContextPtr);
static const privileges_t SM_ALLOWED_PRIVILEGES = {
- "http://tizen.org/privilege/location",
- "http://tizen.org/privilege/camera"
+ "http://tizen.org/privilege/display",
+ "http://tizen.org/privilege/nfc"
};
static const privileges_t SM_DENIED_PRIVILEGES = {
static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
-static const char *const SM_RW_PATH = "/usr/apps/sm_test_02_pkg_id_full/app_dir";
-static const char *const SM_RO_PATH = "/usr/apps/sm_test_02_pkg_id_full/app_dir_ro";
-static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/sm_test_02_pkg_id_full/app_dir_public_ro";
-static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir";
+void changeSecurityContext(const std::string& label, uid_t uid, gid_t gid)
+{
+ RUNNER_ASSERT_ERRNO_MSG(0 == smack_set_label_for_self(label.c_str()),
+ "Error in smack_set_label_for_self(" << label << ")");
+
+ RUNNER_ASSERT_ERRNO_MSG(0 == setgid(gid), "Error in setgid.");
+ RUNNER_ASSERT_ERRNO_MSG(0 == setuid(uid), "Error in setuid.");
+}
+
+std::string genPath(int app_num, const char *postfix) {
+ char buf[16];
+ sprintf(buf, "%02d", app_num);
+ return std::string("/opt/usr/apps/sm_test_") + std::string(buf) + std::string("_pkg_id_full/") + std::string(postfix);
+}
+std::string genRWPath(int app_num) {
+ return genPath(app_num, "app_dir");
+}
+std::string genROPath(int app_num) {
+ return genPath(app_num, "app_dir_ro");
+}
+std::string genPublicROPath(int app_num) {
+ return genPath(app_num, "app_dir_public_ro");
+}
+std::string genOwnerRWOthersROPath(int app_num) {
+ return genPath(app_num, "app_dir_rw_others_ro");
+}
+
+static const char *const SM_RW_PATH = "/opt/usr/apps/sm_test_02_pkg_id_full/app_dir";
+
+static const char *const SM_DENIED_PATH = "/opt/usr/apps/non_app_dir";
+static const char *const SM_TRUSTED_PATH = "/opt/usr/apps/sm_test_02_pkg_id_full/app_dir_trusted";
static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
static const std::string EXEC_FILE("exec");
static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
-static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings";
-static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin";
+static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
+static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
static const std::vector<std::string> MANY_APPS = {
"security_manager_10_app_1",
"security_manager_10_app_5"
};
-static const std::map<std::string, std::string> MANY_APPS_PKGS = {
- {"security_manager_10_app_1", "security_manager_10_pkg_1"},
- {"security_manager_10_app_2", "security_manager_10_pkg_2"},
- {"security_manager_10_app_3", "security_manager_10_pkg_3"},
- {"security_manager_10_app_4", "security_manager_10_pkg_4"},
- {"security_manager_10_app_5", "security_manager_10_pkg_5"},
- {PRIVILEGE_MANAGER_APP, PRIVILEGE_MANAGER_PKG}
+struct app_attributes {
+ std::string package;
+ std::string Tizen_ver;
+};
+static const std::map<std::string, struct app_attributes> MANY_APPS_PKGS = {
+ {"security_manager_10_app_1", {"security_manager_10_pkg_1", "2.1"}},
+ {"security_manager_10_app_2", {"security_manager_10_pkg_2", "3.0"}},
+ {"security_manager_10_app_3", {"security_manager_10_pkg_3", "2.1.1"}},
+ {"security_manager_10_app_4", {"security_manager_10_pkg_4", "3.1"}},
+ {"security_manager_10_app_5", {"security_manager_10_pkg_5", "2.2"}},
+ {PRIVILEGE_MANAGER_APP, {PRIVILEGE_MANAGER_PKG, "3.0"}}
};
static const std::vector<privileges_t> MANY_APPS_PRIVILEGES = {
{
"http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/location"
+ "http://tizen.org/privilege/display"
},
{
"http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/camera"
+ "http://tizen.org/privilege/datasharing"
},
{
- "http://tizen.org/privilege/contact.read",
+ "http://tizen.org/privilege/content.write",
"http://tizen.org/privilege/led",
"http://tizen.org/privilege/email"
},
"http://tizen.org/privilege/led",
"http://tizen.org/privilege/email",
"http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/camera"
+ "http://tizen.org/privilege/datasharing"
},
{
"http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/location",
+ "http://tizen.org/privilege/display",
"http://tizen.org/privilege/led",
"http://tizen.org/privilege/email"
}
};
-/* PRIVILEGE MAPPING TEST CONSTS */
-
-static const std::string OLD_VERSION = "2.4";
-static const std::string NEW_VERSION = "3.0";
-
-static const std::vector<std::string> OLD_PRIVILEGES = {
- "http://tizen.org/privilege/internet.old",
- "http://tizen.org/privilege/telephony.old",
- "http://tizen.org/privilege/contact.old",
- "http://tizen.org/privilege/led.old",
- "http://tizen.org/privilege/email.old"
-};
+class ScopedProcessLabel {
+public:
+ ScopedProcessLabel() {
+ smack_new_label_from_self(&label);
+ }
-static const std::vector<privileges_t> &NEW_PRIVILEGES = MANY_APPS_PRIVILEGES;
+ ~ScopedProcessLabel() {
+ smack_set_label_for_self(label);
+ free(label);
+ }
-static const privileges_t DEFAULT_PRIVILEGES = {
- "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/internet"
+private:
+ char *label;
};
static std::string generateAppLabel(const std::string &appId)
return "User::App::" + appId;
}
+static std::string generatePkgLabelOwnerRWothersRO(const std::string &pkgId)
+{
+ return "User::Pkg::" + pkgId + "::SharedRO";
+}
+
static std::string generatePkgLabel(const std::string &pkgId)
{
return "User::Pkg::" + pkgId;
}
+#define FTW_MAX_FDS 16
+
+static int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ smack_lsetlabel(fpath, nullptr, SMACK_LABEL_ACCESS);
+ smack_lsetlabel(fpath, nullptr, SMACK_LABEL_EXEC);
+ smack_lsetlabel(fpath, nullptr, SMACK_LABEL_TRANSMUTE);
+
+ return 0;
+}
+
+static int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ smack_lsetlabel(fpath, "canary_label", SMACK_LABEL_ACCESS);
+ smack_lsetlabel(fpath, "canary_label", SMACK_LABEL_EXEC);
+ smack_lsetlabel(fpath, nullptr, SMACK_LABEL_TRANSMUTE);
+
+ return 0;
+}
+
+static int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+{
+ int result;
+ CStringPtr labelPtr;
+ char* label = nullptr;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ result = strcmp("canary_label", labelPtr.get());
+ RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ result = strcmp("canary_label", labelPtr.get());
+ RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ RUNNER_ASSERT_MSG(labelPtr.get() == nullptr, "TRANSMUTE label on " << fpath << " is set");
+
+ return 0;
+}
+
static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
const char* correctLabel, bool transmute_test, bool exec_test)
{
nftw_expected_label.c_str(), nftw_expected_transmute, nftw_expected_exec);
}
-static void prepare_app_path()
+static void prepare_app_path(int app_num, bool others_enabled = false)
{
+ std::string SM_RW_PATH = genRWPath(app_num);
+ std::string SM_RO_PATH = genROPath(app_num);
+ std::string SM_PUBLIC_RO_PATH = genPublicROPath(app_num);
int result;
- result = nftw(SM_RW_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ result = nftw(SM_RW_PATH.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RW_PATH);
- result = nftw(SM_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ result = nftw(SM_RO_PATH.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RO_PATH);
- result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ result = nftw(SM_PUBLIC_RO_PATH.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
+ if(others_enabled) {
+ std::string SM_OWNER_RW_OTHERS_RO_PATH = genOwnerRWOthersROPath(app_num);
+ result = nftw(SM_OWNER_RW_OTHERS_RO_PATH.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_OWNER_RW_OTHERS_RO_PATH);
+ }
+
result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
}
-static void prepare_app_env()
+static void prepare_app_env(int app_num, bool others_enabled = false)
{
- prepare_app_path();
+ prepare_app_path(app_num, others_enabled);
}
-static void check_app_path_after_install(const char *pkgId)
+static void check_app_path_after_install(int app_num, const char *pkgId, bool others_enabled=false)
{
+ std::string SM_RW_PATH = genRWPath(app_num);
+ std::string SM_RO_PATH = genROPath(app_num);
+ std::string SM_PUBLIC_RO_PATH = genPublicROPath(app_num);
int result;
nftw_expected_label = generatePkgLabel(pkgId);
nftw_expected_transmute = true;
nftw_expected_exec = false;
- result = nftw(SM_RW_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ result = nftw(SM_RW_PATH.c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH);
nftw_expected_label = generatePkgLabel(pkgId) + "::RO";
nftw_expected_transmute = false;
nftw_expected_exec = false;
- result = nftw(SM_RO_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ result = nftw(SM_RO_PATH.c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH);
nftw_expected_label = "User::Home";
nftw_expected_transmute = true;
nftw_expected_exec = false;
- result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ result = nftw(SM_PUBLIC_RO_PATH.c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
+
+ // owner RW, others RO
+ if(others_enabled) {
+ std::string SM_OWNER_RW_OTHERS_RO_PATH = genOwnerRWOthersROPath(app_num);
+ nftw_expected_label = generatePkgLabelOwnerRWothersRO(pkgId);
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+
+ result = nftw(SM_OWNER_RW_OTHERS_RO_PATH.c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_OWNER_RW_OTHERS_RO_PATH);
+ }
}
const std::vector<std::string> &allowed_groups)
{
TestSecurityManagerDatabase dbtest;
- dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
- dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
+ dbtest.test_db_after__app_install(app_id, pkg_id);
/*Privileges should be granted to all users if root installs app*/
check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
const privileges_t &privileges, const bool is_pkg_removed)
{
TestSecurityManagerDatabase dbtest;
- dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
+ dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
/*Privileges should not be granted anymore to any user*/
Api::install(request);
check_app_after_install(app_id, pkg_id);
-
}
static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
return pw;
};
-RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
+void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
+{
+ // check access
+ if (!access.empty()) {
+ int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str());
+ RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
+ RUNNER_ASSERT_MSG(result == 1,
+ "No smack access: " << subject << " " << object << " " << access);
+ }
+ // check excessive access
+ auto foundInAccess = [&access](std::string::value_type c) {
+ return access.find(c) != std::string::npos; };
+
+ std::string negative = "rwxatl";
+ auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess);
+ negative.erase(end, negative.end());
+
+ for(const auto& c : negative) {
+ int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
+ RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
+ RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
+ " subject:" << subject <<
+ " object:" << object <<
+ " right:" << std::string(1,c) <<
+ " result:" << result <<
+ " expected:0");
+ }
+}
+
+std::string access_opposite(std::string &access) {
+ static const std::map<char, int> access_mapping = {{'r', 0}, {'w', 1}, {'x', 2}, {'a', 3},
+ {'t', 4}, {'l', 5}};
+ //May write implies may lock
+ if (access.find('w') != std::string::npos && access.find('l') == std::string::npos) {
+ access.append("l");
+ }
+ std::string access_opposite = "rwxatl";
+ for (char c : access) {
+ access_opposite[access_mapping.at(c)] = '-';
+ }
+ auto it = std::remove_if(access_opposite.begin(), access_opposite.end(), [](char c) {return c == '-';});
+ access_opposite.erase(it, access_opposite.end());
+ return access_opposite;
+}
+void check_exact_smack_accesses(const std::string &subject, const std::string &object, const std::string &access) {
+ std::string access_str(access);
+ auto no_access = access_opposite(access_str);
+ for (char c : access_str) {
+ int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
+ RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object << ">, <" << c << "> errno=" << strerror(errno));
+ RUNNER_ASSERT_MSG(ret == 1, "Access " << c << " from " << subject << " to "
+ << object << " not given");
+ }
+
+ for (char c : no_access) {
+ int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
+ RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object << ">, <" << c << "> errno=" << strerror(errno));
+ RUNNER_ASSERT_MSG(ret == 0, "Access " << c << " from " << subject << " to "
+ << object << " unnecessarily given");
+ }
+}
+
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
{
Api::install(requestInst);
Api::install(requestInst);
- /* Check records in the security-manager database */
+ // Check records in the security-manager database
check_app_after_install(sm_app_id, sm_pkg_id);
InstallRequest requestUninst;
Api::uninstall(requestUninst);
Api::uninstall(requestUninst);
- /* Check records in the security-manager database */
+ // Check records in the security-manager database
check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
}
RUNNER_TEST(security_manager_02_app_install_uninstall_full)
{
+ std::string SM_RW_PATH = genRWPath(2);
+ std::string SM_RO_PATH = genROPath(2);
+ std::string SM_PUBLIC_RO_PATH = genPublicROPath(2);
+
const char *const sm_app_id = "sm_test_02_app_id_full";
const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
- prepare_app_env();
+ prepare_app_env(2);
InstallRequest requestInst;
requestInst.setAppId(sm_app_id);
SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
/* TODO: add parameters to this function */
- check_app_path_after_install(sm_pkg_id);
+ check_app_path_after_install(2, sm_pkg_id, false);
InstallRequest requestUninst;
requestUninst.setAppId(sm_app_id);
const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
const char *const socketLabel = "not_expected_label";
std::string expected_label = generateAppLabel(app_id);
+ std::string expected_socket_label = socketLabel;
char *label = nullptr;
CStringPtr labelPtr;
int result;
uninstall_app(app_id, pkg_id, true);
install_app(app_id, pkg_id);
- struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
- //Clean up before creating socket
- unlink(SOCK_PATH);
- int sock = socket(AF_UNIX, SOCK_STREAM, 0);
- RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
+ const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03.socket");
+ int sock = UDSHelpers::createServer(&sockaddr);
SockUniquePtr sockPtr(&sock);
- //Bind socket to address
- result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
- RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
+
//Set socket label to something different than expecedLabel
- result = smack_set_label_for_file(sock, XATTR_NAME_SMACKIPIN, socketLabel);
+ result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, socketLabel);
RUNNER_ASSERT_ERRNO_MSG(result == 0,
"Can't set socket label. Result: " << result);
- result = smack_set_label_for_file(sock, XATTR_NAME_SMACKIPOUT, socketLabel);
+ result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, socketLabel);
RUNNER_ASSERT_ERRNO_MSG(result == 0,
"Can't set socket label. Result: " << result);
- Api::setProcessLabel(app_id);
-
- result = smack_new_label_from_file(sock, XATTR_NAME_SMACKIPIN, &label);
- RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
- labelPtr.reset(label);
- result = expected_label.compare(label);
- RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- expected_label << " Actual: " << label);
-
- result = smack_new_label_from_file(sock, XATTR_NAME_SMACKIPOUT, &label);
- RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
- labelPtr.reset(label);
- result = expected_label.compare(label);
- RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- expected_label << " Actual: " << label);
-
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result >= 0,
- " Error getting current process label");
- RUNNER_ASSERT_MSG(label != nullptr,
- " Process label is not set");
- labelPtr.reset(label);
- result = expected_label.compare(label);
- RUNNER_ASSERT_MSG(result == 0,
- " Process label is incorrect. Expected: \"" << expected_label <<
- "\" Actual: \"" << label << "\"");
+ SynchronizationPipe pipe;
+ pid_t pid = fork();
- uninstall_app(app_id, pkg_id, true);
+ if (pid != 0) { // parent process
+ pipe.claimParentEp();
+ Api::setProcessLabel(app_id);
+
+ result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
+ RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
+ labelPtr.reset(label);
+ result = expected_socket_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
+ expected_label << " Actual: " << label);
+
+ result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
+ RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
+ labelPtr.reset(label);
+ result = expected_socket_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
+ expected_label << " Actual: " << label);
+
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result >= 0,
+ " Error getting current process label");
+ RUNNER_ASSERT_MSG(label != nullptr,
+ " Process label is not set");
+ labelPtr.reset(label);
+
+ result = expected_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0,
+ " Process label is incorrect. Expected: \"" << expected_label <<
+ "\" Actual: \"" << label << "\"");
+ pipe.post();
+ waitPid(pid);
+ } else { // child process
+ pipe.claimChildEp();
+ pipe.wait();
+ uninstall_app(app_id, pkg_id, true);
+ exit(0);
+ }
}
RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
uninstall_app(app_id, pkg_id, true);
install_app(app_id, pkg_id);
- Api::setProcessLabel(app_id);
+ {
+ ScopedProcessLabel keepLabel;
+ Api::setProcessLabel(app_id);
+ }
uninstall_app(app_id, pkg_id, true);
}
return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
}
+static uid_t getGlobalGroupId(void)
+{
+ gid_t global_uid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
+ errno = 0;
+ passwd* pw = getpwuid(global_uid);
+ RUNNER_ASSERT_ERRNO_MSG(pw, "getpwuid() failed.");
+ return pw->pw_gid;
+
+}
+
static const std::string appDirPath(const TemporaryTestUser &user,
const std::string &appId, const std::string &pkgId)
{
removeDir(nonAppDirPath(user));
}
+
+
RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
{
int result;
check_app_after_uninstall(app_id, pkg_id, true);
}
-RUNNER_MULTIPROCESS_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
+RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
{
//TEST DATA
const std::string username("sm_test_10_user_name");
users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
//TEST DATA END
- sem_t *mutex;
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
+ SynchronizationPipe pipe;
pid_t pid = fork();
if (pid != 0) { //parent process
+ pipe.claimParentEp();
TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
tmpUser.create();
InstallRequest requestInst;
requestInst.setAppId(app.first.c_str());
try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
+ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
} catch (const std::out_of_range &e) {
RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
};
//check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
};
- //Start child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
- int status;
- wait(&status);
+ //Start child process
+ pipe.post();
+ waitPid(pid);
tmpUser.remove();
- };
-
- if (pid == 0) { //child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
- //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
struct passwd *pw = getUserStruct(username);
+ std::string uidStr = std::to_string(pw->pw_uid);
register_current_process_as_privilege_manager(pw->pw_uid);
int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
+ RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user);
+
try {
- struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
- std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
- if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
+ std::set<std::string>::iterator tmp = users2AppsMap.at(username).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(username).at(app).end())
RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
} catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
- } catch (const std::invalid_argument& e) {
- RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
};
};
exit(0);
};
}
-RUNNER_MULTIPROCESS_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
+RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
++privileges_count;
//TEST DATA END
- sem_t *mutex;
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
+ SynchronizationPipe pipe;
pid_t pid = fork();
if (pid != 0) { //parent process
+ pipe.claimParentEp();
std::vector<TemporaryTestUser> users = {
TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
InstallRequest requestInst;
requestInst.setAppId(app.first.c_str());
try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
+ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
} catch (const std::out_of_range &e) {
RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
};
//check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
};
- //Start child
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
- int status;
- wait(&status);
+ //Start child
+ pipe.post();
+ waitPid(pid);
- for(auto &user : users) {
+ for (auto &user : users)
user.remove();
- };
- };
- if (pid == 0) {
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
+
struct passwd *pw = getUserStruct(usernames.at(0));
+ std::string uidStr = std::to_string(pw->pw_uid);
register_current_process_as_privilege_manager(pw->pw_uid);
//change uid to normal user
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
+ RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user);
+
try {
- struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
- std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
- if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
+ std::set<std::string>::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end())
RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
} catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
- } catch (const std::invalid_argument& e) {
- RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
+ RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what());
};
};
exit(0);
};
}
-RUNNER_MULTIPROCESS_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
+RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
{
+ std::vector<PolicyEntry> oldPolicyVec;
+ Api::getPolicy(PolicyEntry(), oldPolicyVec);
+ std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
+
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
- unsigned int privileges_count = 0;
+ unsigned int privileges_count = oldPolicyVec.size();
std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
std::map<std::string, std::set<std::string>> apps2PrivsMap;
for (const auto &username : usernames) {
-
for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
MANY_APPS.at(i), std::set<std::string>(
privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
};
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
+ users2AppsMap.insert(std::make_pair(username, apps2PrivsMap));
};
- users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
+ users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP,
+ std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
privileges_count += 2;
//TEST DATA END
- sem_t *mutex;
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
+ SynchronizationPipe pipe;
pid_t pid = fork();
if (pid != 0) { //parent process
+ pipe.claimParentEp();
std::vector<TemporaryTestUser> users = {
TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
InstallRequest requestInst;
requestInst.setAppId(app.first.c_str());
try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
+ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
} catch (const std::out_of_range &e) {
RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
};
//check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
};
- //Start child
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
-
- //Wait for child to finish
- int status;
- wait(&status);
+ //Start child process
+ pipe.post();
+ waitPid(pid);
- for(auto &user : users) {
+ for (auto &user : users)
user.remove();
- };
- };
- if (pid == 0) { //child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
struct passwd *pw = getUserStruct(usernames.at(1));
- register_current_process_as_privilege_manager(pw->pw_uid, true);
+ uid_t myUid = pw->pw_uid;
+ gid_t myGid = pw->pw_gid;
+ std::string uidStr1 = std::to_string(myUid);
+ pw = getUserStruct(usernames.at(0));
+ std::string uidStr0 = std::to_string(pw->pw_uid);
+ register_current_process_as_privilege_manager(myUid, true);
//change uid to normal user
- int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
+ int result = drop_root_privileges(myUid, myGid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
std::vector<PolicyEntry> policyEntries;
- PolicyEntry filter;
//this call should succeed as the calling user is privileged
- Api::getPolicy(filter, policyEntries);
+ Api::getPolicy(PolicyEntry(), policyEntries);
RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
for (const auto &policyEntry : policyEntries) {
+ if (oldPolicySet.count(policyEntry))
+ continue;
+
std::string user = policyEntry.getUser();
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
+ RUNNER_ASSERT_MSG(user == uidStr0 || user == uidStr1, "Unexpected user: " << user);
+
+ std::string uidStrToLook = user == uidStr0 ? usernames.at(0) : usernames.at(1);
+
try {
- struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
- std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
- if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
+ std::set<std::string>::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(uidStrToLook).at(app).end())
RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
} catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
} catch (const std::invalid_argument& e) {
RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
};
};
}
-RUNNER_MULTIPROCESS_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
+RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
//TEST DATA END
pid_t pid[2];
- sem_t *mutex[2];
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex[0] = sem_open("mutex_1", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #1, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex[1] = sem_open("mutex_2", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #2, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex[0], 1, 0) == 0, "failed to setup mutex #1, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex[1], 1, 0) == 0, "failed to setup mutex #2, errno: " << errno);
+ SynchronizationPipe sync[2];
std::vector<PolicyEntry> policyEntries;
pid[0] = fork();
- if(pid[0] == 0) { //child #1 process
- RUNNER_ASSERT_MSG(sem_wait(mutex[0]) == 0, "sem_wait in child #1 failed, errno: " << errno);
+ if (pid[0] == 0) { //child #1 process
+ sync[0].claimChildEp();
+ sync[0].wait();
+
struct passwd *pw = getUserStruct(usernames.at(0));
register_current_process_as_privilege_manager(pw->pw_uid);
PolicyEntry filter;
PolicyRequest policyRequest;
- //this call should succeed as the calling user is privileged
- Api::getPolicyForSelf(filter, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
PolicyEntry policyEntry(
MANY_APPS[0],
policyEntry = PolicyEntry(
MANY_APPS[1],
std::to_string(pw->pw_uid),
- "http://tizen.org/privilege/location"
+ "http://tizen.org/privilege/display"
);
policyEntry.setLevel("Deny");
policyRequest.addEntry(policyEntry);
Api::sendPolicy(policyRequest);
- Api::getPolicyForSelf(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
exit(0);
- };
-
- if (pid[0] != 0) {//parent process
+ } else { //parent process
+ sync[0].claimParentEp();
pid[1] = fork();
if (pid[1] == 0) { //child #2 process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex[1]) == 0, "sem_wait in child #2 failed, errno: " << errno);
- struct passwd *pw_target = getUserStruct(usernames.at(0));
- struct passwd *pw = getUserStruct(usernames.at(1));
- register_current_process_as_privilege_manager(pw->pw_uid);
+ sync[1].claimChildEp();
+ sync[1].wait();
+
+ struct passwd *pw = getUserStruct(usernames.at(0));
+ uid_t target_uid = pw->pw_uid;
+ pw = getUserStruct(usernames.at(1));
+ uid_t my_uid = pw->pw_uid;
+ gid_t my_gid = pw->pw_gid;
+
+ register_current_process_as_privilege_manager(my_uid);
//change uid to normal user
- int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
+ int result = drop_root_privileges(my_uid, my_gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
PolicyEntry filter = PolicyEntry(
SECURITY_MANAGER_ANY,
- std::to_string(pw_target->pw_uid),
+ std::to_string(target_uid),
SECURITY_MANAGER_ANY
);
//U2 requests contents of U1 privacy manager - should fail
- Api::getPolicyForSelf(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
+ Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
filter = PolicyEntry(
SECURITY_MANAGER_ANY,
//U2 requests contents of ADMIN bucket - should fail
Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
exit(0);
- };
-
- if (pid[1] != 0) { //parent
-
+ } else { //parent
+ sync[1].claimParentEp();
std::vector<TemporaryTestUser> users = {
TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
+ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false)
};
users.at(0).create();
InstallRequest requestInst;
requestInst.setAppId(app.first.c_str());
try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
+ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
} catch (const std::out_of_range &e) {
RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
};
//check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
};
- int status;
//Start child #1
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex[0]) == 0, "Error while opening mutex #1, errno: " << errno);
-
- //Wait until child #1 finishes
- pid_t ret = wait(&status);
- RUNNER_ASSERT_MSG((ret != -1) && WIFEXITED(status), "Updating privileges failed");
+ sync[0].post();
+ waitPid(pid[0]);
//Start child #2
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex[1]) == 0, "Error while opening mutex #2, errno: " << errno);
- //Wait until child #2 finishes
- ret = wait(&status);
- RUNNER_ASSERT_MSG((ret =-1) && WIFEXITED(status), "Listing privileges failed");
+ sync[1].post();
+ waitPid(pid[1]);
- for(auto &user : users) {
+ for (auto &user : users)
user.remove();
- };
-
- sem_close(mutex[0]);
- sem_close(mutex[1]);
};
};
}
-RUNNER_MULTIPROCESS_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
+RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
privileges_count += 2;
//TEST DATA END
- sem_t *mutex;
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
+ SynchronizationPipe pipe;
pid_t pid = fork();
if (pid != 0) {
+ pipe.claimParentEp();
std::vector<TemporaryTestUser> users = {
TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
InstallRequest requestInst;
requestInst.setAppId(app.first.c_str());
try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
+ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
} catch (const std::out_of_range &e) {
RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
};
Api::install(requestInst);
};
};
+
//Start child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
- int status;
- //Wait for child process to finish
- wait(&status);
+ pipe.post();
+ waitPid(pid);
//switch back to root
- for(auto &user : users) {
+ for (auto &user : users)
user.remove();
- };
-
- sem_close(mutex);
- }
- if (pid == 0) { //child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
- struct passwd *pw = getUserStruct(usernames.at(0));
+ struct passwd *pw = getUserStruct(usernames.at(1));
register_current_process_as_privilege_manager(pw->pw_uid, true);
//change uid to normal user
//this call should succeed as the calling user is privileged
Api::getPolicyForSelf(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
+ unsigned int policyNum = policyEntries.size();
PolicyEntry policyEntry(
SECURITY_MANAGER_ANY,
policyEntry = PolicyEntry(
SECURITY_MANAGER_ANY,
SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/location"
+ "http://tizen.org/privilege/display"
);
policyEntry.setMaxLevel("Deny");
Api::sendPolicy(*policyRequest);
Api::getPolicyForAdmin(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: "
+ << policyNum + 2 << " and is " << policyEntries.size());
delete policyRequest;
policyRequest = new PolicyRequest();
policyEntry = PolicyEntry(
SECURITY_MANAGER_ANY,
SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/location"
+ "http://tizen.org/privilege/display"
);
policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
}
-RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
+RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
{
const char *const update_app_id = "security_manager_15_update_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
const std::string username("sm_test_15_username");
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
struct message {
uid_t uid;
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
}
-RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
+RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
{
const char *const update_other_app_id = "security_manager_15_update_other_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
const std::string username("sm_test_15_username");
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
struct message {
uid_t uid;
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
}
-RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
+RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
{
const char *const update_app_id = "security_manager_15_update_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
const std::string username("sm_test_15_username");
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
struct message {
uid_t uid;
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
}
-RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get)
+RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
{
const std::string username("sm_test_16_user_cynara_policy");
CynaraTestAdmin::Admin admin;
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
}
if(pid == 0)
{
result = drop_root_privileges(msg.uid, msg.gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
- // without plugins there should only be 2 policies - Allow and Deny
+ // 3 should be there when ask-user is installed
ret = security_manager_policy_levels_get(&levels, &count);
RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
"Invlid return code: " << ret);
- RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast<int>(count));
+ RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast<int>(count));
deny_policy = std::string(levels[0]);
allow_policy = std::string(levels[count-1]);
}
}
-RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
+RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
{
const char *const update_app_id = "security_manager_17_update_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
int pipefd[2];
int pipefd2[2];
- pid_t pid;
+ pid_t pid[2];
int result = 0;
+ ScopedProcessLabel keepLabel;
RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
user.create();
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
+ pid[0] = fork();
+ RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed");
+ if (pid[0] != 0)//parent process
{
FdUniquePtr pipeptr(pipefd+1);
close(pipefd[0]);
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid[0]);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
- pid = fork();
- if (pid != 0)//parent process
+ pid[1] = fork();
+ if (pid[1] != 0)//parent process
{
FdUniquePtr pipeptr(pipefd2+1);
close(pipefd2[0]);
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
-
- //wait for child
- waitpid(-1, &result, 0);
+ waitPid(pid[1]);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
}
- if(pid == 0)
+ if(pid[1] == 0)
{
FdUniquePtr pipeptr(pipefd2);
close(pipefd2[1]);
ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
result = drop_root_privileges(msg.uid, msg.gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
exit(0);
}
}
- if(pid == 0)
+ if(pid[0] == 0)
{
FdUniquePtr pipeptr(pipefd);
close(pipefd[1]);
}
}
-RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
+RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
{
const std::string username("sm_test_17_user_name");
int pipefd[2];
pid_t pid;
int result = 0;
+ ScopedProcessLabel keepLabel;
RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
unsigned int privileges_count = 0;
- register_current_process_as_privilege_manager(user.getUid(), false);
- //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
- ++privileges_count;
-
for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
InstallRequest requestInst;
requestInst.setAppId(MANY_APPS[i].c_str());
- requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str());
+ requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).package.c_str());
requestInst.setUid(user.getUid());
for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) {
privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
};
+ register_current_process_as_privilege_manager(user.getUid(), false);
+ //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
+ ++privileges_count;
+
//send info to child
msg.uid = user.getUid();
msg.gid = user.getGid();
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
}
if(pid == 0)
{
}
}
-RUNNER_CHILD_TEST(security_manager_18_user_cynara_policy)
+RUNNER_TEST(security_manager_18_user_cynara_policy)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
const char *const MAIN_BUCKET = "MAIN";
const char *const MANIFESTS_BUCKET = "MANIFESTS";
const char *const ADMIN_BUCKET = "ADMIN";
const std::string username("sm_test_10_user_cynara_policy");
CynaraTestAdmin::Admin admin;
std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
user.create();
user.getUidString(uid_string);
admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
}
-RUNNER_CHILD_TEST(security_manager_19_security_manager_cmd_install)
+RUNNER_TEST(security_manager_19_security_manager_cmd_install)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
int ret;
const int SUCCESS = 0;
const int FAILURE = 256;
const std::string pkg_id = "security_manager_10_pkg";
const std::string username("sm_test_10_user_name");
std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
user.create();
user.getUidString(uid_string);
const std::string path1 = appDirPath(user, app_id, pkg_id) + "/p1";
{"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
{installcmd, SUCCESS},
{"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
- {installcmd + " --path " + path1 + " writable", SUCCESS},
+ {installcmd + " --path " + path1 + " rw", SUCCESS},
{installcmd + " --path " + path1, FAILURE},//no path type
- {installcmd + " --path " + path1 + " writable" + " --path " + path2 + " readable", SUCCESS},
- {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " readable", FAILURE},//wrong path type
- {installcmd + " --path " + path1 + " writable" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
+ {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
+ {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
+ {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
};
for (auto &op : operations) {
- ret = system(op.command.c_str());
+ ret = system((op.command + " 1>/dev/null 2>&1").c_str());
RUNNER_ASSERT_MSG(ret == op.expected_result,
"Unexpected result for command '" << op.command <<"': "
<< ret << " Expected was: "<< op.expected_result);
}
}
-RUNNER_CHILD_TEST(security_manager_20_security_manager_cmd_users)
+RUNNER_TEST(security_manager_20_security_manager_cmd_users)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
int ret;
const int SUCCESS = 0;
const int FAILURE = 256;
const std::string username("sm_test_11_user_name");
std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
user.create();
user.getUidString(uid_string);
const std::string uidopt = " --uid=" + uid_string;
};
for (auto &op : operations) {
- ret = system(op.command.c_str());
+ ret = system((op.command + " 1>/dev/null 2>&1").c_str());
RUNNER_ASSERT_MSG(ret == op.expected_result,
"Unexpected result for command '" << op.command <<"': "
<< ret << " Expected was: "<< op.expected_result);
}
}
-RUNNER_MULTIPROCESS_TEST(security_manager_21_security_manager_admin_deny_user_priv)
+RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
{
const int BUFFER_SIZE = 128;
struct message {
} msg;
privileges_t admin_required_privs = {
- "http://tizen.org/privilege/systemsettings.admin",
- "http://tizen.org/privilege/systemsettings"};
+ PRIVILEGE_MANAGER_SELF_PRIVILEGE,
+ PRIVILEGE_MANAGER_ADMIN_PRIVILEGE};
privileges_t manifest_privs = {
"http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/camera"};
- privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
+ "http://tizen.org/privilege/datasharing"};
+ privileges_t real_privs_allow = {"http://tizen.org/privilege/datasharing"};
privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
const std::string pirivman_id = "sm_test_13_ADMIN_APP";
if (pid != 0)//parent process
{
std::string childuidstr;
- TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
- TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
+ TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, false);
+ TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, false);
InstallRequest request,request2;
FdUniquePtr pipeptr(pipefd+1);
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
real_privs_allow, real_privs_deny);
}
}
-void saveMappingsToDb(const std::string &version_from, const std::string &version_to,
- const privileges_t &privileges, const std::vector<privileges_t> &mappings) {
+void setupPrivilegeGroups(const privileges_t &privileges, const std::vector<std::string> &groups)
+{
TestSecurityManagerDatabase db;
- RUNNER_ASSERT_MSG(privileges.size() == mappings.size(), "Wrong given privileges and mappings size");
- auto privIt = privileges.begin();
- auto mappIt = mappings.begin();
- for (; privIt != privileges.end() && mappIt != mappings.end(); privIt++, mappIt++) {
- for (const auto &mapping : *mappIt) {
- db.setup_privilege_mapping(version_from, version_to, *privIt, mapping);
- }
+ for (const auto &privilege : privileges) {
+ db.setup_privilege_groups(privilege, groups);
}
}
-void saveDefaultMappingsToDb(const std::string &version_from, const std::string &version_to,
- const privileges_t &privileges) {
- TestSecurityManagerDatabase db;
- for (auto &privilege : privileges) {
- db.setup_default_version_privilege(version_from, version_to, privilege);
+std::vector<std::string> readPrivilegeGroups()
+{
+ std::vector<std::string> groups;
+ const static std::string privilegeGroupMappingPath("/usr/share/security-manager/policy/privilege-group.list");
+ std::ifstream mappingFile(privilegeGroupMappingPath);
+
+ RUNNER_ASSERT_MSG(mappingFile.is_open(),
+ "Unable to read group mapping file " << privilegeGroupMappingPath);
+
+ std::string line;
+ std::regex r("^[^ #]+ +(.*)");
+ while (std::getline(mappingFile, line)) {
+ std::smatch m;
+ if (std::regex_search(line, m, r))
+ groups.push_back(m[1]);
}
+
+ return groups;
}
-void concatUnique(privileges_t &to, const privileges_t &from) {
- to.reserve(to.size() + from.size());
- for (auto &new_priv : from) {
- if (std::find(to.begin(), to.end(), new_priv) == to.end())
- to.push_back(new_priv);
+RUNNER_TEST(security_manager_22_groups_get)
+{
+ setupPrivilegeGroups(SM_ALLOWED_PRIVILEGES, SM_ALLOWED_GROUPS);
+
+ std::unordered_set<std::string> groups;
+ auto tmp = readPrivilegeGroups();
+ groups.insert(tmp.begin(), tmp.end());
+ groups.insert(SM_ALLOWED_GROUPS.begin(), SM_ALLOWED_GROUPS.end());
+
+ char ** c_groups;
+ size_t count = 0;
+
+ Api::getSecurityManagerGroups(&c_groups, &count);
+ RUNNER_ASSERT_MSG(count == groups.size(), "security_manager_groups_get should set count to: "
+ << groups.size() << " but count is: " << count);
+
+ for (const auto &group : groups) {
+ bool found = false;
+ for (size_t i = 0; i < count; ++i) {
+ if (group == c_groups[i]) {
+ found = true;
+ break;
+ }
+ }
+ RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
}
+ security_manager_groups_free(c_groups, count);
}
-RUNNER_TEST(security_manager_22_get_privilege_mappings)
+namespace {
+const int sm_app_shared_test_id = 27;
+const char *const sm_app_shared_id = "sm_test_27_app_id_full";
+const char *const sm_app_shared_another_in_package_id = "sm_test_27_app_2_id_full";
+const char *const sm_pkg_shared_id = "sm_test_27_pkg_id_full";
+
+void test_success_worker(const std::string &appName, int test_num)
{
- saveMappingsToDb(OLD_VERSION, NEW_VERSION, OLD_PRIVILEGES, NEW_PRIVILEGES);
- saveDefaultMappingsToDb(OLD_VERSION, NEW_VERSION, DEFAULT_PRIVILEGES);
- privileges_t retrievedMapping;
- std::string current;
- auto expectedIt = NEW_PRIVILEGES.begin();
- for (const auto &privilege : OLD_PRIVILEGES) {
- retrievedMapping.clear();
- std::vector<std::string> privilegeToMap = {privilege};
- Api::getPrivilegesMappings(OLD_VERSION.c_str(), NEW_VERSION.c_str(),
- privilegeToMap, retrievedMapping);
- std::vector<std::string> expectedPrivileges = *expectedIt;
- concatUnique(expectedPrivileges, DEFAULT_PRIVILEGES);
- RUNNER_ASSERT_MSG(retrievedMapping.size() == expectedPrivileges.size(),
- "Wrong count of mappings returned for " << privilege << "."
- " Got " << retrievedMapping.size()
- << " expected " << expectedPrivileges.size());
- RUNNER_ASSERT_MSG(std::is_permutation(retrievedMapping.begin(), retrievedMapping.end(), expectedPrivileges.begin()),
- "Wrong mapping returned for " << privilege);
- ++expectedIt;
- }
+ std::string SM_OWNER_RW_OTHERS_RO_PATH = genOwnerRWOthersROPath(test_num);
+
+ changeSecurityContext(generateAppLabel(appName), APP_UID, APP_GID);
+
+ RUNNER_ASSERT_ERRNO_MSG(::access(SM_OWNER_RW_OTHERS_RO_PATH.c_str(), R_OK|X_OK) != -1,
+ "access (" << SM_OWNER_RW_OTHERS_RO_PATH << ") from " << appName << " failed " << " to " << SM_OWNER_RW_OTHERS_RO_PATH );
}
-RUNNER_TEST(security_manager_23_get_privileges_mappings)
+void test_fail_worker(const std::string &appName, int test_num)
{
- saveMappingsToDb(OLD_VERSION, NEW_VERSION, OLD_PRIVILEGES, NEW_PRIVILEGES);
- saveDefaultMappingsToDb(OLD_VERSION, NEW_VERSION, DEFAULT_PRIVILEGES);
+ std::string SM_OWNER_RW_OTHERS_RO_PATH = genOwnerRWOthersROPath(test_num);
- std::vector<std::string> retrievedMapping;
- std::vector<std::string> expectedPrivileges = DEFAULT_PRIVILEGES;
- for(auto &expected : NEW_PRIVILEGES) {
- concatUnique(expectedPrivileges, expected);
- }
- const std::vector<std::string> &privilegesToMap = OLD_PRIVILEGES;
+ changeSecurityContext(generateAppLabel(appName), APP_UID, APP_GID);
- Api::getPrivilegesMappings(OLD_VERSION.c_str(), NEW_VERSION.c_str(), privilegesToMap, retrievedMapping);
- RUNNER_ASSERT_MSG(retrievedMapping.size() == expectedPrivileges.size(),
- "Wrong count of mappings returned. Got " << retrievedMapping.size()
- << " expected " << expectedPrivileges.size());
- RUNNER_ASSERT_MSG(std::is_permutation(retrievedMapping.begin(), retrievedMapping.end(), expectedPrivileges.begin()),
- "Wrong mapping returned for privileges set");
+ RUNNER_ASSERT_MSG(::access(SM_OWNER_RW_OTHERS_RO_PATH.c_str(), R_OK|X_OK) == -1,
+ "access (" << SM_OWNER_RW_OTHERS_RO_PATH << ") from " << appName
+ << " surprisingly succeeded, while expecting fail");
}
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PUBLIC_SHARING)
-RUNNER_TEST(security_manager_24_get_privileges_mappings_default_version)
+RUNNER_TEST(security_manager_27a_API2X_app_install)
{
- saveMappingsToDb(OLD_VERSION, NEW_VERSION, OLD_PRIVILEGES, NEW_PRIVILEGES);
- saveDefaultMappingsToDb(OLD_VERSION, NEW_VERSION, DEFAULT_PRIVILEGES);
+ std::string SM_RW_PATH = genRWPath(sm_app_shared_test_id);
+ std::string SM_RO_PATH = genROPath(sm_app_shared_test_id);
+ std::string SM_PUBLIC_RO_PATH = genPublicROPath(sm_app_shared_test_id);
+ std::string SM_OWNER_RW_OTHERS_RO_PATH = genOwnerRWOthersROPath(sm_app_shared_test_id);
+ prepare_app_env(sm_app_shared_test_id, true);
+
+ // install other apps
+ for(const auto &app : MANY_APPS_PKGS) {
+ InstallRequest requestInst;
+ requestInst.setAppId(app.first.c_str());
+ requestInst.setPkgId(app.second.package.c_str());
+ requestInst.setAppTizenVersion(app.second.Tizen_ver.c_str());
+
+ Api::install(requestInst);
+ };
+
+ // install
+ {
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_shared_id);
+ requestInst.setPkgId(sm_pkg_shared_id);
+ requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
+ requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
+ requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
+ requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
+ requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
+ requestInst.addPath(SM_OWNER_RW_OTHERS_RO_PATH, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
+ requestInst.setAppTizenVersion("2.4");
+ Api::install(requestInst);
+ }
- std::vector<std::string> retrievedMapping;
- std::vector<std::string> expectedPrivileges = DEFAULT_PRIVILEGES;
- for(auto &expected : NEW_PRIVILEGES) {
- concatUnique(expectedPrivileges, expected);
+ // another app in package
+ {
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_shared_another_in_package_id);
+ requestInst.setPkgId(sm_pkg_shared_id);
+ requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
+ requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
+ requestInst.addPath(SM_OWNER_RW_OTHERS_RO_PATH, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
+ requestInst.setAppTizenVersion("2.4");
+ Api::install(requestInst);
}
- const std::vector<std::string> &privilegesToMap = OLD_PRIVILEGES;
- Api::getPrivilegesMappings(OLD_VERSION.c_str(), nullptr, privilegesToMap, retrievedMapping);
- RUNNER_ASSERT_MSG(retrievedMapping.size() == expectedPrivileges.size(),
- "Wrong count of mappings returned. Got " << retrievedMapping.size()
- << " expected " << expectedPrivileges.size());
- RUNNER_ASSERT_MSG(std::is_permutation(retrievedMapping.begin(), retrievedMapping.end(), expectedPrivileges.begin()),
- "Wrong mapping returned for privileges set");
+ /* Check records in the security-manager database */
+ check_app_after_install(sm_app_shared_id, sm_pkg_shared_id,
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
+ /* Check records in the security-manager database */
+ check_app_after_install(sm_app_shared_another_in_package_id, sm_pkg_shared_id,
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
+
+ /* TODO: add parameters to this function */
+ check_app_path_after_install(sm_app_shared_test_id, sm_pkg_shared_id, true);
+
+ RUNNER_ASSERT_ERRNO_MSG(::access(SM_OWNER_RW_OTHERS_RO_PATH.c_str(), R_OK|X_OK) != -1, "access (" << SM_OWNER_RW_OTHERS_RO_PATH << ") failed");
+}
+
+RUNNER_CHILD_TEST(security_manager_27b_owner_1_have_access)
+{
+ test_success_worker(sm_app_shared_id, sm_app_shared_test_id);
+}
+
+RUNNER_CHILD_TEST(security_manager_27c_owner_2_have_access)
+{
+ test_success_worker(sm_app_shared_another_in_package_id, sm_app_shared_test_id);
}
-RUNNER_TEST(security_manager_25_get_default_mappings)
+RUNNER_CHILD_TEST(security_manager_27d_API2X_apps_have_access_app_1)
{
- saveDefaultMappingsToDb(OLD_VERSION, NEW_VERSION, DEFAULT_PRIVILEGES);
+ test_success_worker("security_manager_10_app_1", sm_app_shared_test_id);
+}
+
+RUNNER_CHILD_TEST(security_manager_27e_API2X_apps_dont_have_access_app_2)
+{
+ test_fail_worker("security_manager_10_app_2", sm_app_shared_test_id);
+}
- std::vector<std::string> retrievedMapping;
- std::vector<std::string> expectedPrivileges = DEFAULT_PRIVILEGES;
+RUNNER_CHILD_TEST(security_manager_27f_API2X_apps_have_access_app_3)
+{
+ test_success_worker("security_manager_10_app_3", sm_app_shared_test_id);
+}
- // Empty privilege to map vector will indicate nullptr privilege array in security-manager API
- std::vector<std::string> privilegeToMap;
+RUNNER_CHILD_TEST(security_manager_27g_API2X_apps_dont_have_access_app_4)
+{
+ test_fail_worker("security_manager_10_app_4", sm_app_shared_test_id);
+}
- Api::getPrivilegesMappings(OLD_VERSION.c_str(), NEW_VERSION.c_str(), privilegeToMap, retrievedMapping);
- RUNNER_ASSERT_MSG(retrievedMapping.size() == expectedPrivileges.size(),
- "Wrong count of mappings returned. Got " << retrievedMapping.size()
- << " expected " << expectedPrivileges.size());
- RUNNER_ASSERT_MSG(std::is_permutation(retrievedMapping.begin(), retrievedMapping.end(), expectedPrivileges.begin()),
- "Wrong default mapping returned");
+RUNNER_CHILD_TEST(security_manager_27h_API2X_apps_have_access_app_5)
+{
+ test_success_worker("security_manager_10_app_5", sm_app_shared_test_id);
}
-RUNNER_TEST(security_manager_26_get_default_mappings_default_version)
+
+RUNNER_TEST(security_manager_27i_API2X_app_uninstall)
{
- saveDefaultMappingsToDb(OLD_VERSION, NEW_VERSION, DEFAULT_PRIVILEGES);
+ {
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_shared_id);
+ Api::uninstall(requestUninst);
+ }
+ {
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_shared_another_in_package_id);
+ Api::uninstall(requestUninst);
+ }
- std::vector<std::string> retrievedMapping;
- std::vector<std::string> expectedPrivileges = DEFAULT_PRIVILEGES;
+ /* Check records in the security-manager database,
+ * all previously allowed privileges should be removed */
+ check_app_after_uninstall(sm_app_shared_id, sm_pkg_shared_id,
+ SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
+ check_app_after_uninstall(sm_app_shared_another_in_package_id, sm_pkg_shared_id,
+ SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
+}
- // Empty privilege to map vector will indicate nullptr privilege array in security-manager API
- std::vector<std::string> privilegeToMap;
+RUNNER_TEST(security_manager_27j_API30_app_install)
+{
+ std::string SM_RW_PATH = genRWPath(sm_app_shared_test_id);
+ std::string SM_RO_PATH = genROPath(sm_app_shared_test_id);
+ std::string SM_PUBLIC_RO_PATH = genPublicROPath(sm_app_shared_test_id);
+ std::string SM_OWNER_RW_OTHERS_RO_PATH = genOwnerRWOthersROPath(sm_app_shared_test_id);
+ prepare_app_env(sm_app_shared_test_id, true);
- Api::getPrivilegesMappings(OLD_VERSION.c_str(), nullptr, privilegeToMap, retrievedMapping);
- RUNNER_ASSERT_MSG(retrievedMapping.size() == expectedPrivileges.size(),
- "Wrong count of mappings returned. Got " << retrievedMapping.size()
- << " expected " << expectedPrivileges.size());
- RUNNER_ASSERT_MSG(std::is_permutation(retrievedMapping.begin(), retrievedMapping.end(), expectedPrivileges.begin()),
- "Wrong default mapping returned");
+ // install
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_shared_id);
+ requestInst.setPkgId(sm_pkg_shared_id);
+ requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
+ requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
+ requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
+ requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
+ requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
+ requestInst.addPath(SM_OWNER_RW_OTHERS_RO_PATH, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
+ requestInst.setAppTizenVersion("3.0");
+
+ Api::install(requestInst);
+
+ /* Check records in the security-manager database */
+ check_app_after_install(sm_app_shared_id, sm_pkg_shared_id,
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
+
+ /* TODO: add parameters to this function */
+ check_app_path_after_install(sm_app_shared_test_id, sm_pkg_shared_id, true);
+
+ RUNNER_ASSERT_ERRNO_MSG(::access(SM_OWNER_RW_OTHERS_RO_PATH.c_str(), R_OK|X_OK) != -1, "access (" << SM_OWNER_RW_OTHERS_RO_PATH << ") failed");
+}
+
+RUNNER_CHILD_TEST(security_manager_27k_API30_apps_dont_have_access_app_1)
+{
+ test_fail_worker("security_manager_10_app_1", sm_app_shared_test_id);
+}
+
+RUNNER_CHILD_TEST(security_manager_27l_API30_apps_dont_have_access_app_2)
+{
+ test_fail_worker("security_manager_10_app_2", sm_app_shared_test_id);
+}
+
+RUNNER_CHILD_TEST(security_manager_27m_API30_apps_dont_have_access_app_3)
+{
+ test_fail_worker("security_manager_10_app_3", sm_app_shared_test_id);
+}
+
+RUNNER_CHILD_TEST(security_manager_27n_API30_apps_dont_have_access_app_4)
+{
+ test_fail_worker("security_manager_10_app_4", sm_app_shared_test_id);
+}
+
+RUNNER_CHILD_TEST(security_manager_27o_API30_apps_dont_have_access_app_5)
+{
+ test_fail_worker("security_manager_10_app_5", sm_app_shared_test_id);
+}
+
+RUNNER_TEST(security_manager_27p_API30_app_uninstall)
+{
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_shared_id);
+
+ Api::uninstall(requestUninst);
+
+ /* Check records in the security-manager database,
+ * all previously allowed privileges should be removed */
+ check_app_after_uninstall(sm_app_shared_id, sm_pkg_shared_id,
+ SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
+
+ // install other apps
+ for(const auto &app : MANY_APPS_PKGS) {
+ InstallRequest requestUninst;
+ requestUninst.setAppId(app.first);
+
+ Api::uninstall(requestUninst);
+ };
+}
+
+namespace {
+const char *const owner_access = "rwxat";
+const char *const target_path_access = "rxl";
+const char *const target_dir_access = "x";
+const char *const no_access = "";
+
+void check_system_access(const std::string pathLabel, bool apply = true) {
+ check_exact_smack_accesses("User", pathLabel, (apply ? owner_access : no_access));
+ check_exact_smack_accesses("System", pathLabel, (apply ? owner_access : no_access));
+}
+
+void check_owner_access(const std::string &ownerLabel, const std::string &pathLabel, bool apply = true) {
+ check_exact_smack_accesses(ownerLabel, pathLabel, (apply ? owner_access : no_access));
+}
+
+void check_target_access(const std::string &ownerPkgLabel, const std::string &targetLabel,
+ const std::string &pathLabel, bool pathShared = true, bool anyPathShared = true) {
+ check_exact_smack_accesses(targetLabel, pathLabel, (pathShared ? target_path_access : no_access));
+ check_exact_smack_accesses(targetLabel, ownerPkgLabel, (anyPathShared ? target_dir_access : no_access));
+}
+
+void check_path_label(const std::string &path, const std::string &expectedLabel) {
+ char *label = nullptr;
+ int ret = smack_new_label_from_path(path.c_str(), XATTR_NAME_SMACK, 0, &label);
+ RUNNER_ASSERT_MSG(ret > 0, "smack_new_label_from_path failed for " << path);
+ SmackLabelPtr realLabel(label);
+ RUNNER_ASSERT_MSG(realLabel.get() == expectedLabel, "Fetched label from " << path << " different"
+ " than expected, is : " << realLabel.get() << " should be " << expectedLabel);
+}
+
+void createFile(const std::string &filePath)
+{
+ //create temporary file and set label for it
+ mode_t systemMask;
+
+ unlink(filePath.c_str());
+ //allow to create file with 777 rights
+ systemMask = umask(0000);
+ int fd = open(filePath.c_str(), O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
+ //restore system mask
+ umask(systemMask);
+ RUNNER_ASSERT_ERRNO_MSG(fd > -1, "Unable to create file for tests");
+
+ //for descriptor protection
+ FdUniquePtr fd_ptr(&fd);
+
+ //change owner and group to user APP
+ int ret = chown(filePath.c_str(), APP_UID, APP_GID);
+ RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Unable to change file owner");
+}
+
+}
+
+RUNNER_TEST_GROUP_INIT(SECURIT_MANAGER_PRIVATE_SHARING)
+
+RUNNER_TEST(security_manager_30a_send_incomplete_req1)
+{
+ SharingRequest request;
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+ request.setOwnerAppId("someOwner");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+ request.setTargetAppId("someTarget");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+}
+
+RUNNER_TEST(security_manager_30b_send_incomplete_req2)
+{
+ SharingRequest request;
+ request.setTargetAppId("someTarget");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+ request.setOwnerAppId("someOwner");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+}
+
+RUNNER_TEST(security_manager_30c_send_incomplete_req3)
+{
+ SharingRequest request;
+ const char *somePaths[] = {"path1", "path2"};
+ request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+ request.setOwnerAppId("someOwner");
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+}
+
+RUNNER_TEST(security_manager_30d_unknown_owner)
+{
+ // This test depends on order of checks in security-manager service implementation
+ SharingRequest request;
+ request.setOwnerAppId("ImPrettySureIDontExist");
+ request.setTargetAppId("IDontMatter");
+ const char *somePaths[] = {"path1", "path2"};
+ request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+}
+
+struct PathInfo {
+ const std::string &path;
+ app_install_path_type path_type;
+};
+
+static InstallRequest createInstallReq(const std::string &appName, const std::string &pkgName,
+ const std::vector<PathInfo> &paths){
+ InstallRequest req;
+ req.setAppId(appName);
+ req.setPkgId(pkgName);
+ for (const auto &pathInfo : paths) {
+ req.addPath(pathInfo.path, pathInfo.path_type);
+ }
+ return req;
+}
+
+static InstallRequest createInstallReq(const AppInstallHelper &info,
+ const std::vector<PathInfo> &paths = std::vector<PathInfo>()){
+ return createInstallReq(info.getAppId(), info.getPkgId(), paths);
+}
+
+static void clearLabels(const std::string &path) {
+ int result = nftw(path.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << path);
+}
+
+
+RUNNER_TEST(security_manager_30e_unknown_target)
+{
+ // This test depends on order of checks in security-manager service implementation
+ AppInstallHelper owner("installedApp");
+ owner.revokeRules();
+ owner.createInstallDir();
+ InstallRequest ownerInst;
+ ownerInst.setAppId(owner.getAppId());
+ ownerInst.setPkgId(owner.getPkgId());
+ Api::install(ownerInst);
+
+ SharingRequest request;
+ request.setOwnerAppId(owner.getAppId());
+ request.setTargetAppId("NowImPrettySureIDontExist");
+ const char *somePaths[] = {"path1", "path2"};
+ request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(ownerInst);
+}
+
+RUNNER_TEST(security_manager_30f_bad_paths)
+{
+ // This test depends on order of checks in security-manager service implementation
+ AppInstallHelper owner("installedApp");
+ owner.revokeRules();
+ owner.createInstallDir();
+ InstallRequest ownerInst = createInstallReq(owner);
+ Api::install(ownerInst);
+
+ AppInstallHelper target("secondInstalledApp");
+ target.revokeRules();
+ target.createInstallDir();
+ InstallRequest targetInst = createInstallReq(target);
+ Api::install(targetInst);
+
+ SharingRequest request;
+ request.setOwnerAppId(owner.getAppId());
+ request.setTargetAppId(target.getAppId());
+
+ const char *somePath = "/tmp/somePath";
+ createFile(somePath);
+ const char *somePaths[] = {somePath};
+ request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0]));
+ Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER);
+
+ Api::uninstall(ownerInst);
+ Api::uninstall(targetInst);
+}
+
+RUNNER_TEST(security_manager_31_simple_share)
+{
+ std::vector<AppInstallHelper> helper {{"app31a"}, {"app31b"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_32_double_share)
+{
+ std::vector<AppInstallHelper> helper {{"app32a"}, {"app32b"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath(0);
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq);
+}
+RUNNER_TEST(security_manager_33_share_two_with_one)
+{
+ std::vector<AppInstallHelper> helper {{"app33a"}, {"app33b"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile(0);
+ owner.createSharedFile(1);
+ clearLabels(owner.getInstallDir());
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW},
+ PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1, share2;
+ std::string sharedPath1 = owner.getSharedPath(0);
+ std::string sharedPath2 = owner.getSharedPath(1);
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ share2.setTargetAppId(target.getAppId());
+ const char *path1[] = {sharedPath1.c_str()};
+ const char *path2[] = {sharedPath2.c_str()};
+ share1.addPaths(path1, 1);
+ share2.addPaths(path2, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath1.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath1, pathLabel1);
+
+ Api::applySharing(share2);
+ std::string pathLabel2 = db.get_path_label(sharedPath2.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2);
+ RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for private shared paths should be unique!");
+
+ check_system_access(pathLabel1);
+ check_system_access(pathLabel2);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel2);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2);
+ check_path_label(sharedPath1, pathLabel1);
+ check_path_label(sharedPath2, pathLabel2);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel1, false);
+ check_system_access(pathLabel2);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2);
+ check_path_label(sharedPath1, owner.generatePkgLabel());
+ check_path_label(sharedPath2, pathLabel2);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel1, false);
+ check_system_access(pathLabel2, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel2, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2, false, false);
+ check_path_label(sharedPath1, owner.generatePkgLabel());
+ check_path_label(sharedPath2, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_34_share_one_with_two)
+{
+ std::vector<AppInstallHelper> helper {{"app34a"}, {"app34b"}, {"app34c"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ for (size_t i = 1; i < helper.size(); i++) {
+ InstallRequest targetReq = createInstallReq(helper[i]);
+ Api::install(targetReq);
+ }
+
+ SharingRequest share1, share2;
+ std::string sharedPath = owner.getSharedPath(0).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ share2.addPaths(path, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share2);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ for (size_t i = 1; i < helper.size(); i++) {
+ InstallRequest targetReq = createInstallReq(helper[i]);
+ Api::uninstall(targetReq);
+ }
+}
+
+RUNNER_TEST(security_manager_35_share_two_with_two)
+{
+ std::vector<AppInstallHelper> helper {{"app35a"}, {"app35b"}, {"app35c"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile(0);
+ owner.createSharedFile(1);
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW},
+ PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}});
+
+ Api::install(ownerReq);
+
+ for (size_t i = 1; i < helper.size(); i++) {
+ InstallRequest targetReq = createInstallReq(helper[i]);
+ Api::install(targetReq);
+ }
+
+ SharingRequest share1, share2;
+ std::string sharedPath1 = owner.getSharedPath(0).c_str();
+ std::string sharedPath2 = owner.getSharedPath(1).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path1[] = {sharedPath1.c_str()};
+ const char *path2[] = {sharedPath2.c_str()};
+ share1.addPaths(path1, 1);
+ share2.addPaths(path2, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath1.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath1, pathLabel1);
+
+ Api::applySharing(share2);
+ std::string pathLabel2 = db.get_path_label(sharedPath2.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2);
+ RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for shared files should be unique!");
+
+ check_system_access(pathLabel1);
+ check_system_access(pathLabel2);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel2);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2);
+ check_path_label(sharedPath1, pathLabel1);
+ check_path_label(sharedPath2, pathLabel2);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel1);
+ check_system_access(pathLabel2, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel2, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false);
+ check_path_label(sharedPath1, pathLabel1);
+ check_path_label(sharedPath2, owner.generatePkgLabel());
+
+ Api::dropSharing(share1);
+ check_system_access(pathLabel1, false);
+ check_system_access(pathLabel2, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel2, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false);
+ check_path_label(sharedPath1, owner.generatePkgLabel());
+ check_path_label(sharedPath2, owner.generatePkgLabel());
+ Api::uninstall(ownerReq);
+ for (size_t i = 1; i < helper.size(); i++) {
+ InstallRequest targetReq;
+ targetReq.setAppId(helper[i].getAppId());
+ targetReq.setPkgId(helper[i].getAppId());
+ Api::uninstall(targetReq);
+ }
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
+
+RUNNER_TEST(security_manager_35_share_uninstall_target) {
+ std::vector<AppInstallHelper> helper {{"app35aa"}, {"app35bb"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(ownerReq);
+}
+
+RUNNER_TEST(security_manager_35_share_uninstall_owner) {
+ std::vector<AppInstallHelper> helper {{"app35aaa"}, {"app35bbb"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_owner_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app36a", "pkg1"}, {"app36b", "pkg1"}, {"app36c", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(pkgAppReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_owner_drop) {
+ std::vector<AppInstallHelper> helper {{"app36aa", "pkg1"}, {"app36bb", "pkg1"}, {"app36cc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::dropSharing(share1);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_target_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app36aaa", "pkg1"}, {"app36bbb", "pkg1"}, {"app36ccc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_37_pkg_double_share_target_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app37a", "pkg1"}, {"app37b", "pkg1"}, {"app37c", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::applySharing(share1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_37_pkg_double_share_owner_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app37aa", "pkg1"}, {"app37bb", "pkg1"}, {"app37cc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::applySharing(share1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(targetReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_target)
+{
+ std::vector<AppInstallHelper> helper {{"app38a"}, {"app38b"}, {"app38c"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+
+ InstallRequest targetReq1 = createInstallReq(target1);
+ Api::install(targetReq1);
+ InstallRequest targetReq2 = createInstallReq(target2);
+ Api::install(targetReq2);
+
+ SharingRequest share1, share2;
+ std::string sharedPath = owner.getSharedPath(0).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ share2.addPaths(path, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share2);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::uninstall(targetReq1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq2);
+}
+
+RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_owner)
+{
+ std::vector<AppInstallHelper> helper {{"app38aa"}, {"app38bb"}, {"app38cc"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+
+ InstallRequest targetReq1 = createInstallReq(target1);
+ Api::install(targetReq1);
+ InstallRequest targetReq2 = createInstallReq(target2);
+ Api::install(targetReq2);
+
+ SharingRequest share1, share2;
+ std::string sharedPath = owner.getSharedPath(0).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ share2.addPaths(path, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share2);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel,false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::dropSharing(share2, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(targetReq1);
+ Api::uninstall(targetReq2);
+}
+
+RUNNER_TEST(security_manager_40_set_wrong_author_id)
+{
+ InstallRequest requestInst;
+
+ RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
+ security_manager_app_inst_req_set_author_id(requestInst.get(), NULL));
+
+ RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
+ security_manager_app_inst_req_set_author_id(requestInst.get(), ""));
+}
+
+RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
+{
+ for(unsigned int i=0; i<10; ++i) {
+ std::string authorId = "some-author-id" + std::to_string(i);
+
+ InstallRequest requestInst;
+ requestInst.setAuthorId(authorId);
+ }
+}
+
+RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
+{
+ std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
+ auto &provider = helper[0];
+ auto &user = helper[1];
+ auto &untrusted = helper[2];
+
+ TestSecurityManagerDatabase dbtest;
+ const char *author_id = "custom_author_id_test 41";
+
+ const char *const trusted_access = "rwxatl";
+ const char *const system_access = "rwxatl";
+
+ int result;
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ e.createTrustedDir();
+ }
+
+ result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
+
+ // install app with shared/trusted dir
+ InstallRequest trustingApp;
+ trustingApp.setAppId(provider.getAppId());
+ trustingApp.setPkgId(provider.getPkgId());
+ trustingApp.setAuthorId("author id to be overwritten");
+ trustingApp.setAuthorId(author_id);
+ trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+ Api::install(trustingApp);
+
+ int64_t authorDb = dbtest.get_author_id(author_id);
+ const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
+
+ // check trusted path label
+ nftw_expected_label = trusted_label;
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+
+ // check labels
+ result = nftw(provider.getTrustedDir().c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_TRUSTED_PATH);
+
+ // check rules
+ check_exact_access("System", trusted_label, system_access);
+ check_exact_access("User", trusted_label, system_access);
+ check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
+
+ // install trusted app
+ InstallRequest trustedApp;
+ trustedApp.setAppId(user.getAppId());
+ trustedApp.setPkgId(user.getPkgId());
+ trustedApp.setAuthorId(author_id);
+ Api::install(trustedApp);
+
+ // check rules
+ check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+
+ // install untrusted app
+ InstallRequest untrustedApp;
+ untrustedApp.setAppId(untrusted.getAppId());
+ untrustedApp.setPkgId(untrusted.getPkgId());
+ Api::install(untrustedApp);
+
+ // check rules
+ check_exact_access(generateAppLabel(untrusted.getAppId()), trusted_label, "");
+ check_exact_access(generatePkgLabel(untrusted.getPkgId()), trusted_label, "");
+
+ // uninstall trusting app
+ Api::uninstall(trustingApp);
+
+ // there's still one app with author id, rules should be kept
+ check_exact_access("System", trusted_label, system_access);
+ check_exact_access("User", trusted_label, system_access);
+ check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, "");
+ check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
+ check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+
+ Api::uninstall(trustedApp);
+
+ // no more apps with author id
+ check_exact_access("System", trusted_label, "");
+ check_exact_access("User", trusted_label, "");
+ check_exact_access(generateAppLabel(user.getAppId()), trusted_label, "");
+ check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+
+ Api::uninstall(untrustedApp);
+}
+
+
+RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
+{
+ AppInstallHelper help("app44");
+ help.createInstallDir();
+ help.createTrustedDir();
+
+ // install app with shared/trusted dir but without authors id
+ InstallRequest app;
+ app.setAppId(help.getAppId());
+ app.setPkgId(help.getPkgId());
+ app.addPath(help.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+ Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
+
+RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
+{
+ std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
+ auto &trusted1 = helper[0];
+ auto &trusted2 = helper[1];
+
+ TestSecurityManagerDatabase dbtest;
+ const char *authorId1 = "custom_author_id_test a45";
+ const char *authorId2 = "custom_author_id_test b45";
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ e.createTrustedDir();
+ }
+
+ // install app with shared/trusted dir
+ InstallRequest trustingApp;
+ trustingApp.setAppId(trusted1.getAppId());
+ trustingApp.setPkgId(trusted1.getPkgId());
+ trustingApp.setAuthorId(authorId1);
+ trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+ Api::install(trustingApp);
+
+ int64_t authorDb1 = dbtest.get_author_id(authorId1);
+
+ // install trusted app
+ InstallRequest trustedApp;
+ trustedApp.setAppId(trusted2.getAppId());
+ trustedApp.setPkgId(trusted2.getPkgId());
+ trustedApp.setAuthorId(authorId2);
+ Api::install(trustedApp);
+
+ int64_t authorDb2 = dbtest.get_author_id(authorId2);
+
+ Api::uninstall(trustingApp);
+ Api::uninstall(trustedApp);
+
+ RUNNER_ASSERT(authorDb1 != authorDb2);
+}
+
+RUNNER_TEST(security_manager_46_pkgId_deinstalation_test)
+{
+ /* Description:
+ * Lets assume that app1 and app2 are part of pkg1.
+ * Deinstalation of app1 mustnot remove rules:
+ * System PKG1Label rwxatl
+ * User PKGLabel rwxatl
+ */
+
+ std::vector<AppInstallHelper> helper {{"a46"}, {"b46"}};
+ auto &trusted1 = helper[0];
+ auto &trusted2 = helper[1];
+
+ std::string authorId1 = "author46XYZ";
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ e.createTrustedDir();
+ }
+
+ InstallRequest trustingApp;
+ trustingApp.setAppId(trusted1.getAppId());
+ trustingApp.setPkgId(trusted1.getPkgId());
+ trustingApp.setAuthorId(authorId1);
+ trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+ Api::install(trustingApp);
+
+ InstallRequest trustingApp2;
+ trustingApp2.setAppId(trusted2.getAppId());
+ trustingApp2.setPkgId(trusted1.getPkgId()); // both apps will be part of same pkgId
+ trustingApp2.setAuthorId(authorId1);
+ Api::install(trustingApp2);
+
+ check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
+ check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
+ check_exact_access("System", generateAppLabel(trusted2.getAppId()), "rwxl");
+ check_exact_access("User", generateAppLabel(trusted2.getAppId()), "rwxl");
+
+ Api::uninstall(trustingApp2);
+
+ check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
+ check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
+ check_exact_access("System", generateAppLabel(trusted2.getAppId()), "");
+ check_exact_access("User", generateAppLabel(trusted2.getAppId()), "");
+
+ Api::uninstall(trustingApp);
+
+ check_exact_access("System", generateAppLabel(trusted1.getAppId()), "");
+ check_exact_access("User", generateAppLabel(trusted1.getAppId()), "");
+ check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "");
+ check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "");
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CREDENTIAL_API)
+
+class ProcessCredentials {
+public:
+ ProcessCredentials(const std::string &smackLabel) : m_label(smackLabel) {}
+
+ const std::string &label(void) const {
+ return m_label;
+ }
+
+ uid_t uid(void) const {
+ return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
+ }
+
+ gid_t gid(void) const {
+ return PasswdAccess::gid("users");
+ }
+
+private:
+ std::string m_label;
+};
+
+pid_t runInChild(const std::function<void(void)> &process) {
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
+
+ if (pid == 0) {
+ process();
+ exit(EXIT_SUCCESS);
+ }
+
+ return pid;
+}
+
+void udsServer(SynchronizationPipe &pipe, const struct sockaddr_un &sockaddr,
+ const struct ProcessCredentials &peerCredentials) {
+ SecurityServer::AccessProvider ap(peerCredentials.label());
+ ap.applyAndSwithToUser(peerCredentials.uid(), peerCredentials.gid());
+ pipe.claimChildEp();
+
+ int sock = UDSHelpers::createServer(&sockaddr);
+ SockUniquePtr sockPtr(&sock);
+ pipe.post();
+ int clientSock = UDSHelpers::acceptClient(sock);
+
+ UDSHelpers::waitForDisconnect(clientSock);
+}
+
+typedef std::function<void(int sock, pid_t pid)> SocketAssertionFn;
+
+void clientTestTemplate(SocketAssertionFn assertion, const std::string &scope, const std::string &smackLabel) {
+ const auto sockaddr = UDSHelpers::makeAbstractAddress("test_sm_" + scope + ".socket");
+ const ProcessCredentials peerCredentials(smackLabel);
+
+ SynchronizationPipe pipe;
+
+ pid_t pid = runInChild(std::bind(udsServer, std::ref(pipe), std::cref(sockaddr),
+ std::cref(peerCredentials)));
+
+ pipe.claimParentEp();
+ pipe.wait();
+ int sock = UDSHelpers::createClient(&sockaddr);
+ SockUniquePtr sockPtr(&sock);
+
+ assertion(sock, pid);
+}
+
+RUNNER_CHILD_TEST(security_manager_51a_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51a_app";
+ const char *const sm_pkg_id = "sm_test_51a_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ std::string rcvPkgId, rcvAppId;
+ Api::getPkgIdBySocket(sock, &rcvPkgId, &rcvAppId);
+ RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
+ << "; expected = " << sm_pkg_id);
+ RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
+ << "; expected = " << sm_app_id);
+ }, "tcsm27a", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_51b_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51b_app";
+ const char *const sm_pkg_id = "sm_test_51b_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ std::string rcvPkgId, rcvAppId;
+ Api::getPkgIdBySocket(sock + 1, &rcvPkgId, &rcvAppId, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ }, "tcsm27b", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_51c_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51c_app";
+ const char *const sm_pkg_id = "sm_test_51c_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ std::string rcvPkgId;
+ Api::getPkgIdBySocket(sock, &rcvPkgId, nullptr);
+ RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
+ << "; expected = " << sm_pkg_id);
+ }, "tcsm27c", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_51d_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51d_app";
+ const char *const sm_pkg_id = "sm_test_51d_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ std::string rcvAppId;
+ Api::getPkgIdBySocket(sock, nullptr, &rcvAppId);
+ RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
+ << "; expected = " << sm_app_id);
+ }, "tcsm27d", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_51e_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51e_app";
+ const char *const sm_pkg_id = "sm_test_51e_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ Api::getPkgIdBySocket(sock, nullptr, nullptr, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ }, "tcsm27e", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52a_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52a_app";
+ const char *const sm_pkg_id = "sm_test_52a_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int, pid_t pid) {
+ std::string rcvPkgId, rcvAppId;
+ Api::getPkgIdByPid(pid, &rcvPkgId, &rcvAppId);
+ RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
+ << "; expected = " << sm_pkg_id);
+ RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
+ << "; expected = " << sm_app_id);
+ }, "tcsm28a", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52b_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52b_app";
+ const char *const sm_pkg_id = "sm_test_52b_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int, pid_t pid) {
+ std::string rcvPkgId, rcvAppId;
+ Api::getPkgIdByPid(pid + 1, &rcvPkgId, &rcvAppId, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ }, "tcsm28b", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52c_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52c_app";
+ const char *const sm_pkg_id = "sm_test_52c_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int, pid_t pid) {
+ std::string rcvPkgId;
+ Api::getPkgIdByPid(pid, &rcvPkgId, nullptr);
+ RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
+ << "; expected = " << sm_pkg_id);
+ }, "tcsm28c", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52d_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52d_app";
+ const char *const sm_pkg_id = "sm_test_52d_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int, pid_t pid) {
+ std::string rcvAppId;
+ Api::getPkgIdByPid(pid, nullptr, &rcvAppId);
+ RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
+ << "; expected = " << sm_app_id);
+ }, "tcsm28d", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52e_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52e_app";
+ const char *const sm_pkg_id = "sm_test_52e_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ Api::getPkgIdByPid(sock, nullptr, nullptr, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ }, "tcsm28e", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_53_app_has_privilege)
+{
+ const char *const sm_app_id = "sm_test_53_app";
+ const char *const sm_pkg_id = "sm_test_53_pkg";
+ const std::string new_user_name = "sm_test_47_user_name";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ for (auto const &privilege : SM_ALLOWED_PRIVILEGES)
+ requestInst.addPrivilege(privilege.c_str());
+ Api::install(requestInst);
+
+ for (auto const &privilege : SM_ALLOWED_PRIVILEGES) {
+ int result;
+ Api::appHasPrivilege(sm_app_id, privilege.c_str(), getGlobalUserId(), result);
+ RUNNER_ASSERT_MSG(result == 1, "Application " << sm_app_id <<
+ " should have access to privilege " << privilege);
+ }
+
+ for (auto const &privilege : SM_DENIED_PRIVILEGES) {
+ int result;
+ Api::appHasPrivilege(sm_app_id, privilege.c_str(), getGlobalUserId(), result);
+ RUNNER_ASSERT_MSG(result == 0, "Application " << sm_app_id <<
+ " should not have access to privilege " << privilege);
+ }
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
+
+RUNNER_TEST(security_manager_49a_global_user_set_install_type_global)
+{
+ const char *const sm_app_id = "sm_test_49a_app_id_global";
+ const char *const sm_pkg_id = "sm_test_49a_pkg_id_global";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_GLOBAL);
+
+ Api::install(requestInst);
+
+ // Check records in the security-manager database
+ check_app_after_install(sm_app_id, sm_pkg_id);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+
+ // Check records in the security-manager database
+ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+}
+
+RUNNER_TEST(security_manager_49b_global_user_set_install_type_local)
+{
+ const char *const sm_app_id = "sm_test_49b_app_id_local";
+ const char *const sm_pkg_id = "sm_test_49b_pkg_id_local";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
+
+ Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
+}
+
+RUNNER_TEST(security_manager_49c_global_user_set_install_type_preloaded)
+{
+ const char *const sm_app_id = "sm_test_49c_app_id_preloaded";
+ const char *const sm_pkg_id = "sm_test_49c_pkg_id_preloaded";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_PRELOADED);
+
+ Api::install(requestInst);
+
+ // Check records in the security-manager database
+ check_app_after_install(sm_app_id, sm_pkg_id);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+
+ // Check records in the security-manager database
+ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+}
+
+RUNNER_CHILD_TEST(security_manager_49d_local_user_set_install_type_global)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49d_app_id_global";
+ const char *const sm_pkg_id = "sm_test_49d_pkg_id_global";
+ const std::string new_user_name = "sm_test_49d_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_GLOBAL);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ /*
+ * It is possible for local user to install global application but one needs app_install privileges
+ * By default only global user or root can install global apps
+ */
+ Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+RUNNER_CHILD_TEST(security_manager_49e_local_user_set_install_type_local)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49e_app_id_local";
+ const char *const sm_pkg_id = "sm_test_49e_pkg_id_local";
+ const std::string new_user_name = "sm_test_49e_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_LOCAL);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ Api::install(requestPrivateUser);
+
+ check_app_permissions(sm_app_id, sm_pkg_id,
+ uidToStr(testUser.getUid()).c_str(),
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+
+ //uninstall app as non-root user
+ InstallRequest request;
+ request.setAppId(sm_app_id);
+
+ Api::uninstall(request);
+
+ check_app_permissions(sm_app_id, sm_pkg_id,
+ uidToStr(testUser.getUid()).c_str(),
+ SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+}
+
+RUNNER_CHILD_TEST(security_manager_49f_local_user_set_install_type_preloaded)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49f_app_id_preloaded";
+ const char *const sm_pkg_id = "sm_test_49f_pkg_id_preloaded";
+ const std::string new_user_name = "sm_test_49f_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_PRELOADED);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ /*
+ * It is possible for local user to install preloaded application but one needs app_install privileges
+ * By default only global user or root can install preloaded apps
+ */
+ Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+RUNNER_TEST(security_manager_50_app_install_constraint_check)
+{
+ auto install = [](const TemporaryTestUser& user,
+ const char *pkgId,
+ const char *appId,
+ const char *version,
+ const char *author,
+ enum lib_retcode expected,
+ bool uninstall = true)
+ {
+ InstallRequest request;
+ request.setAppId(appId);
+ request.setPkgId(pkgId);
+ request.setAppTizenVersion(version);
+ request.setAuthorId(author);
+ request.setUid(user.getUid());
+
+ Api::install(request, expected);
+
+ if(expected == SECURITY_MANAGER_SUCCESS) {
+ // TODO add verification once check_app_after_install() supports uid
+ // check_app_after_install(appId, pkgId);
+ if(uninstall)
+ Api::uninstall(request);
+ }
+ };
+
+ std::vector<TemporaryTestUser> users = {
+ {"sm_test_50_user_name_0", GUM_USERTYPE_NORMAL, false},
+ {"sm_test_50_user_name_1", GUM_USERTYPE_NORMAL, false}
+ };
+
+ for(auto& gu : users)
+ gu.create();
+
+ const char *const pkgId[] = {"sm_test_50_pkg_id_0", "sm_test_50_pkg_id_1"};
+ const char *const appId[] = {"sm_test_50_app_id_0", "sm_test_50_app_id_1"};
+ const char *const version[] = {"sm_test_50_version_0", "sm_test_50_version_1"};
+ const char *const author[] = {"sm_test_50_author_0", "sm_test_50_author_1"};
+
+ // uid_0, pkg_0, app_0, version_0, author_0
+ install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
+
+ // uid_1, pkg_0, app_0, version_0, author_0 -> ok (different uid)
+ install(users[1], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS);
+ // uid_1, pkg_0, app_0, version_0, author_1 -> fail (author of app_0 must be the same)
+ install(users[1], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_0, app_0, version_1, author_0 -> fail (version of app_0 must be the same)
+ install(users[1], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_1, app_0, version_0, author_0 -> fail (pkg of app_0 must be the same)
+ install(users[1], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_0, author_0 -> ok (the same app again)
+ install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
+ // uid_0, pkg_1, app_0, version_0, author_0 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_1, author_0 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_0, author_1 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_REGISTER_PATH)
+
+RUNNER_TEST(security_manager_54_path_req_no_pkg)
+{
+ const char *const sm_app_id = "sm_test_54_app_id";
+ const char *const sm_pkg_id = "sm_test_54_pkg_id";
+
+ TemporaryTestUser user("sm_test_54_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ PathsRequest req;
+ req.setPkgId("non-existing-pkg-id");
+ req.setUid(user.getUid());
+ req.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(req, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
+
+RUNNER_TEST(security_manager_55_path_req_empty_pkg)
+{
+ const char *const sm_app_id = "sm_test_55_app_id";
+ const char *const sm_pkg_id = "sm_test_55_pkg_id";
+
+ TemporaryTestUser user("sm_test_55_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ PathsRequest req;
+ req.setPkgId("");
+ req.setUid(user.getUid());
+ req.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(req, (lib_retcode)SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
+}
+
+RUNNER_TEST(security_manager_56_path_req_wrong_type)
+{
+ PathsRequest req;
+ req.setInstallType(SM_APP_INSTALL_END,
+ (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ req.setInstallType((app_install_type)(SM_APP_INSTALL_NONE-1),
+ (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
+
+RUNNER_TEST(security_manager_57_path_req_wrong_uid)
+{
+ const char *const sm_app_id = "sm_test_57_app_id";
+ const char *const sm_pkg_id = "sm_test_57_pkg_id";
+
+ TemporaryTestUser user("sm_test_57_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(-1);
+ preq.setInstallType(SM_APP_INSTALL_LOCAL);
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
+}
+
+RUNNER_TEST(security_manager_58_path_req_empty_paths)
+{
+ const char *const sm_app_id = "sm_test_58_app_id";
+ const char *const sm_pkg_id = "sm_test_58_pkg_id";
+
+ TemporaryTestUser user("sm_test_58_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
+
+ PathsRequest req;
+ req.setPkgId(sm_pkg_id);
+ req.setUid(user.getUid());
+ Api::registerPaths(req);
+}
+
+RUNNER_TEST(security_manager_59_path_req_as_root_positive)
+{
+ const char *const sm_app_id = "sm_test_59_app_id";
+ const char *const sm_pkg_id = "sm_test_59_pkg_id";
+
+ TemporaryTestUser user("sm_test_59_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
+}
+
+RUNNER_CHILD_TEST(security_manager_60_path_req_as_user_positive)
+{
+ const char *const sm_app_id = "sm_test_60_app_id";
+ const char *const sm_pkg_id = "sm_test_60_pkg_id";
+
+ TemporaryTestUser user("sm_test_60_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
+
+ int result = drop_root_privileges(user.getUid(), user.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
+}
+
+RUNNER_CHILD_TEST(security_manager_61_path_req_different_user)
+{
+ const char *const sm_app_id = "sm_test_61_app_id";
+ const char *const sm_pkg_id = "sm_test_61_pkg_id";
+
+ TemporaryTestUser user1("sm_test_61_1_user_name", GUM_USERTYPE_NORMAL, false);
+ user1.create();
+ TemporaryTestUser user2("sm_test_61_2_user_name", GUM_USERTYPE_NORMAL, false);
+ user2.create();
+
+ std::string path = appDirPath(user2, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user2, sm_app_id, sm_pkg_id);
+ createTestDirs(user2, sm_app_id, sm_pkg_id);
+
+ install_app(sm_app_id, sm_pkg_id, user2.getUid());
+
+ int result = drop_root_privileges(user1.getUid(), user1.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user2.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+void testPathOutside(const std::string& pkgId, uid_t uid, const std::string& path)
+{
+ PathsRequest preq;
+ preq.setPkgId(pkgId);
+ preq.setUid(uid);
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+RUNNER_TEST(security_manager_62_path_req_path_outside)
+{
+ const char *const sm_app_id = "sm_test_62_app_id";
+ const char *const sm_pkg_id = "sm_test_62_pkg_id";
+
+ TemporaryTestUser user1("sm_test_62_1_user_name", GUM_USERTYPE_NORMAL, false);
+ user1.create();
+ TemporaryTestUser user2("sm_test_62_2_user_name", GUM_USERTYPE_NORMAL, false);
+ user2.create();
+
+ install_app(sm_app_id, sm_pkg_id, user1.getUid());
+
+ removeTestDirs(user1, sm_app_id, sm_pkg_id);
+ removeTestDirs(user2, sm_app_id, sm_pkg_id);
+ createTestDirs(user1, sm_app_id, sm_pkg_id);
+ createTestDirs(user2, sm_app_id, sm_pkg_id);
+
+ testPathOutside(sm_pkg_id, user1.getUid(), appDirPath(user2, sm_app_id, sm_pkg_id));
+ testPathOutside(sm_pkg_id, user1.getUid(), appDirPath(user1, sm_app_id, "sm_test_62_non_existing_pkg_id"));
+ testPathOutside(sm_pkg_id, user1.getUid(), std::string("/home/") + user1.getUserName());
+}
+
+void testPathsReqAsUser(const enum app_install_type &type, lib_retcode expectedResult) {
+ const char *const sm_app_id = "sm_test_63_app_id";
+ const char *const sm_pkg_id = "sm_test_63_pkg_id";
+
+ TemporaryTestUser user("sm_test_63_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
+
+ int result = drop_root_privileges(user.getUid(), user.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.setInstallType(type);
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, expectedResult);
+}
+
+RUNNER_CHILD_TEST(security_manager_63a_path_req_as_user)
+{
+ testPathsReqAsUser(SM_APP_INSTALL_GLOBAL,
+ (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+RUNNER_CHILD_TEST(security_manager_63b_path_req_preloaded_as_user)
+{
+ testPathsReqAsUser(SM_APP_INSTALL_PRELOADED,
+ (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+void testPathsReqLocal(uid_t uid, gid_t gid)
+{
+ const char *const sm_app_id = "sm_test_64_app_id";
+ const char *const sm_pkg_id = "sm_test_64_pkg_id";
+
+ TemporaryTestUser user("sm_test_64_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
+
+ int result = drop_root_privileges(uid, gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.setInstallType(SM_APP_INSTALL_LOCAL);
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
+}
+
+
+RUNNER_CHILD_TEST(security_manager_64a_path_req_as_local_as_root)
+{
+ testPathsReqLocal(0, 0);
+}
+
+RUNNER_CHILD_TEST(security_manager_64b_path_req_as_local_asuser)
+{
+ testPathsReqLocal(getGlobalUserId(), getGlobalGroupId());
+}
+
+RUNNER_TEST(security_manager_66_path_req_check_labels)
+{
+ const char *const sm_app_id = "sm_test_66_app_id_full";
+ const char *const sm_pkg_id = "sm_test_66_pkg_id_full";
+
+ std::string SM_RW_PATH = genRWPath(66);
+ std::string SM_RO_PATH = genROPath(66);
+ std::string SM_PUBLIC_RO_PATH = genPublicROPath(66);
+
+ prepare_app_env(66);
+
+ install_app(sm_app_id, sm_pkg_id);
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
+ preq.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
+ preq.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
+ Api::registerPaths(preq);
+
+ uninstall_app(sm_app_id, sm_pkg_id, true);
+}
+
+RUNNER_TEST(security_manager_67_path_req_shared_ro_3_0)
+{
+ const char *const sm_app_id = "sm_test_67_app_id";
+ const char *const sm_pkg_id = "sm_test_67_pkg_id";
+
+ TemporaryTestUser user("sm_test_67_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ InstallRequest ireq;
+ ireq.setAppId(sm_app_id);
+ ireq.setPkgId(sm_pkg_id);
+ ireq.setUid(user.getUid());
+ ireq.setAppTizenVersion("3.0");
+ Api::install(ireq);
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
+}
+
+RUNNER_TEST(security_manager_68_path_req_shared_ro_2_X)
+{
+ const char *const sm_app_id = "sm_test_68_app_id";
+ const char *const sm_pkg_id = "sm_test_68_pkg_id";
+
+ TemporaryTestUser user("sm_test_68_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ InstallRequest ireq;
+ ireq.setAppId(sm_app_id);
+ ireq.setPkgId(sm_pkg_id);
+ ireq.setUid(user.getUid());
+ ireq.setAppTizenVersion("2.4");
+ Api::install(ireq);
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
+
+ Api::registerPaths(preq);
+
+ // check labels
+ nftw_expected_label = generatePkgLabel(sm_pkg_id) + "::SharedRO";
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+ int result = nftw(path.c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << path);
+}
+
+RUNNER_TEST(security_manager_69_path_req_trusted_rw_no_author)
+{
+ const char *const sm_app_id = "sm_test_69_app_id";
+ const char *const sm_pkg_id = "sm_test_69_pkg_id";
+
+ TemporaryTestUser user("sm_test_69_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_TRUSTED_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
+
+RUNNER_TEST(security_manager_70_path_req_trusted_rw_positive)
+{
+ const char *const sm_app_id = "sm_test_70_app_id";
+ const char *const sm_pkg_id = "sm_test_70_pkg_id";
+ const char *const author_id = "sm_test_70_author_id";
+
+ TemporaryTestUser user("sm_test_70_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
+
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ InstallRequest ireq;
+ ireq.setAppId(sm_app_id);
+ ireq.setPkgId(sm_pkg_id);
+ ireq.setUid(user.getUid());
+ ireq.setAuthorId(author_id);
+ Api::install(ireq);
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_TRUSTED_RW);
+
+ Api::registerPaths(preq);
+
+ // check labels
+ TestSecurityManagerDatabase dbtest;
+ int64_t authorDb = dbtest.get_author_id(author_id);
+ nftw_expected_label = std::string("User::Author::") + std::to_string(authorDb);
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+ int result = nftw(path.c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << path);
}
int main(int argc, char *argv[])
projects / platform / core / test / security-tests.git / blobdiff