/*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <app_install_helper.h>
#include <cynara_test_admin.h>
#include <dpl/test/test_runner.h>
+#include <label_generator.h>
#include <message_pipe.h>
#include <policy_configuration.h>
#include <scoped_installer.h>
-#include <scoped_label.h>
#include <service_manager.h>
#include <sm_api.h>
#include <sm_commons.h>
#include <tests_common.h>
#include <tzplatform.h>
#include <uds.h>
+#include <scoped_process_label.h>
using namespace SecurityManagerTest;
check_path(privateDir, generatePathRWLabel(pkgId));
check_path(privateRODir, generatePathROLabel(pkgId), false);
check_path(publicRODir, getPublicPathLabel());
- check_path(sharedRODir, generatePathSharedROLabel(pkgId));
+ check_path(sharedRODir, getSharedROPathLabel());
}
RUNNER_TEST(security_manager_02_app_install_uninstall_full)
{
- PolicyConfiguration policy;
- PolicyConfiguration::PrivGroupMap privGroupMap = policy.getPrivGroupMap();
-
- RUNNER_ASSERT_MSG(privGroupMap.size() >= 4, "Failed to get policy of a suitable size");
-
- privileges_t allowedPrivs;
- privileges_t someDeniedPrivs;
+ privileges_t defaultPrivs = {
+ "http://tizen.org/privilege/internal/device/audio",
+ "http://tizen.org/privilege/internal/device/display",
+ "http://tizen.org/privilege/internal/device/video"
+ };
+ privileges_t allowedPrivs = {
+ "http://tizen.org/privilege/camera",
+ "http://tizen.org/privilege/mediastorage"
+ };
+ privileges_t someDeniedPrivs = {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/externalstorage"
+ };
- int counter = 0;
- for (auto const &it: privGroupMap) {
- if (counter < 2)
- allowedPrivs.push_back(it.first);
- else if (counter < 4)
- someDeniedPrivs.push_back(it.first);
- else
- break;
- ++counter;
- }
+ privileges_t defaultAllowedPrivs = defaultPrivs;
+ defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
AppInstallHelper app("sm_test_02");
app.createPrivateDir();
ScopedInstaller appInstall(app);
check_app_after_install(app.getAppId(), app.getPkgId(),
- app.getPrivileges(), someDeniedPrivs);
+ defaultAllowedPrivs, someDeniedPrivs);
check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
check_path(app.getPublicDir(), getPublicPathLabel());
- check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
+ check_path(app.getSharedRODir(), getSharedROPathLabel());
}
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivileges());
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivilegesNames());
}
RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
}
};
- std::vector<TemporaryTestUser> users = {
- {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
- {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
+ auto update = [](const TemporaryTestUser& user,
+ const char *pkgId,
+ const char *appId,
+ const char *version,
+ const char *author,
+ bool isHybrid,
+ enum lib_retcode expected,
+ bool uninstall = true)
+ {
+ InstallRequest request;
+ request.setAppId(appId);
+ request.setPkgId(pkgId);
+ request.setAppTizenVersion(version);
+ request.setAuthorId(author);
+ request.setUid(user.getUid());
+ if (isHybrid)
+ request.setHybrid();
+ Api::update(request, expected);
+
+ if(expected == SECURITY_MANAGER_SUCCESS && uninstall) {
+ Api::uninstall(request);
+ }
+ };
+
+ std::array<TemporaryTestUser, 2> users{
+ TemporaryTestUser{"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
+ TemporaryTestUser{"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
};
for(auto& gu : users)
install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
// uid_1, pkg_0, app_0, version_0, author_0, not hybrid -> ok (different uid)
install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
- // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> fail (different hybrid setting)
+ // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok for update (different hybrid setting)
install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> fail (different hybrid setting)
- install(users[0], pkgId[0], appId[1], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> fail (different hybrid setting)
- install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ update(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
+ // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> ok (new app id)
+ install(users[0], pkgId[0], appId[1], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
+ // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> ok (different hybrid setting)
+ install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
// uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> fail (author of app_0 must be the same)
install(users[1], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> fail (version of app_0 must be the same)
+ // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (version upgrade and different hybrid setting)
install(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ update(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
// uid_1, pkg_1, app_0, version_0, author_0, not hybrid -> fail (pkg of app_0 must be the same)
install(users[1], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
// uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok (the same app again)
install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
// uid_0, pkg_1, app_0, version_0, author_0, not hybrid -> fail (app_name + uid must be unique)
install(users[0], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_1, author_0, not hybrid -> fail (app_name + uid must be unique)
- install(users[0], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
// uid_0, pkg_0, app_0, version_0, author_1, not hybrid -> fail (app_name + uid must be unique)
install(users[0], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
}
+RUNNER_TEST(security_manager_09a_install_many_apps_in_single_request)
+{
+ const std::string pkgId = "sm_test_09a_pkg_id_0";
+ const std::vector<std::string> appIds = {"sm_test_09a_app_id_0", "sm_test_09a_app_id_1", "sm_test_09a_app_id_2"};
+
+ {
+ ScopedInstaller appsInstall(appIds, pkgId);
+ // Installing many applications in single request
+ for (const auto &appId : appIds) {
+ check_app_after_install(appId, pkgId);
+ }
+ }
+
+ for (const auto &appId : appIds) {
+ check_app_after_uninstall(appId, pkgId);
+ }
+}
+
+RUNNER_TEST(security_manager_09b_install_many_apps_in_single_request_duplicated_ids)
+{
+ const std::string pkgId = "sm_test_09b_pkg_id_0";
+ const std::string appId = "sm_test_09b_app_id_0";
+
+ {
+ ScopedInstaller appsInstall({appId, appId}, pkgId);
+ check_app_after_install(appId, pkgId);
+ }
+
+ check_app_after_uninstall(appId, pkgId);
+}
+
+RUNNER_TEST(security_manager_09c_update_many_apps_in_single_request_hybrid_package)
+{
+ const std::vector<std::string> appIds = {"sm_test_09c_app_id_0", "sm_test_09c_app_id_1", "sm_test_09c_app_id_2"};
+ const std::string pkgId = "sm_test_09c_pkg_id_0";
+
+ {
+ ScopedInstaller appsInstall(appIds, pkgId);
+ // Package is not hybrid, every app has same policy.
+ for (const auto &appId : appIds) {
+ check_app_after_install(appId, pkgId);
+ }
+
+ // Updating package -- changing set of apps in package and setting hybrid mode
+ InstallRequest updateRequest;
+ updateRequest.setPkgId(pkgId);
+ updateRequest.setAppId(appIds[0]);
+ updateRequest.nextApp();
+ updateRequest.setAppId(appIds[1]);
+ updateRequest.setHybrid();
+
+ Api::update(updateRequest);
+ // Package became hybrid, so every app has its own Smack label
+ check_app_after_install(appIds[0], pkgId, true);
+ check_app_after_install(appIds[1], pkgId, true);
+ // Package became hybrid properly,
+ // so app not included in updated version of package was uninstalled.
+ check_app_after_uninstall(appIds[2], pkgId);
+ }
+
+ for (const auto &appId : appIds) {
+ check_app_after_uninstall(appId, pkgId, true, true);
+ }
+}
+
+RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package)
+{
+ const std::vector<std::string> appIds = {"sm_test_09d_app_id_0", "sm_test_09d_app_id_1", "sm_test_09d_app_id_2"};
+ const std::string pkgId = "sm_test_09d_pkg_id_0";
+ {
+ ScopedInstaller appsInstall(appIds, pkgId);
+
+ InstallRequest updateRequest;
+ updateRequest.setPkgId(pkgId);
+ for (unsigned int i = 0; i < appIds.size(); i++) {
+ if (i > 0) {
+ updateRequest.nextApp();
+ }
+ updateRequest.setAppId(appIds[i]);
+ }
+ updateRequest.setHybrid();
+ Api::update(updateRequest);
+
+ InstallRequest uninstRequest;
+ uninstRequest.setPkgId(pkgId);
+ uninstRequest.setAppId(appIds[0]);
+ Api::uninstall(uninstRequest);
+
+ check_app_after_uninstall(appIds[0], pkgId, true);
+ }
+}
+
RUNNER_CHILD_TEST(security_manager_10_app_has_privilege)
{
const std::vector<std::string> allowedPrivs = {
{
// FIXME - whitebox - cynara
const char *const MAIN_BUCKET = "MAIN";
- const char *const MANIFESTS_BUCKET = "MANIFESTS";
+ const char *const MANIFESTS_GLOBAL_BUCKET = "MANIFESTS_GLOBAL";
+ const char *const MANIFESTS_LOCAL_BUCKET = "MANIFESTS_LOCAL";
const char *const ADMIN_BUCKET = "ADMIN";
const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
CynaraTestAdmin::Admin admin;
CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
- admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(MANIFESTS_GLOBAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(MANIFESTS_LOCAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
}
PolicyRequest addPolicyReq;
for (auto &deniedPriv : deniedPrivsAfterChange) {
PolicyEntry entry(SECURITY_MANAGER_ANY, normalUser.getUidString(), deniedPriv);
- entry.setMaxLevel("Deny");
+ entry.setMaxLevel(PolicyEntry::LEVEL_DENY);
addPolicyReq.addEntry(entry);
}
Api::sendPolicy(addPolicyReq);
RUNNER_TEST(security_manager_24_groups_get)
{
PolicyConfiguration pc;
- char ** c_groups;
+ gid_t * c_groups;
size_t count = 0;
Api::getSecurityManagerGroups(&c_groups, &count);
- std::unique_ptr<char *, std::function<void(char **)>> groupsPtr(c_groups, [count] (char ** groups) {
- security_manager_groups_free(groups, count);
- });
+ std::unique_ptr<gid_t, decltype(free)*> groupsPtr(c_groups, free);
- auto policyGroups = pc.getGroup();
+ auto policyGroups = pc.getGid();
RUNNER_ASSERT_MSG(count == policyGroups.size(), "security_manager_groups_get should set count to: "
<< policyGroups.size() << " but count is: " << count);
*/
RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
{
+ RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
+
TemporaryTestUser testUser("sm_test_25e_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
AppInstallHelper app("sm_test_25e");
- change_label("_");
+ ScopedProcessLabel spl("_", false);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
"drop_root_privileges failed");
RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
{
+ RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
+
TemporaryTestUser testUser("sm_test_25f_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
AppInstallHelper app("sm_test_25f");
- change_label("_");
+ ScopedProcessLabel spl("_", false);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
"drop_root_privileges failed");
InstallRequest invalidReq;
Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
}
-
RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local)
{
std::vector<std::string> allowedPrivs = {
invalidReq.setPkgId(app.getPkgId());
invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
- Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+ Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
}
RUNNER_CHILD_TEST(security_manager_25i_local_path_preloaded_install)
invalidReq.setPkgId(app.getPkgId());
invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
- Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+ Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
}
RUNNER_CHILD_TEST(security_manager_25j_global_path_local_install)
invalidReq.addPath(appGlobal.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
invalidReq.setInstallType(SM_APP_INSTALL_LOCAL);
- Api::install(invalidReq, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+ Api::install(invalidReq, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
}
+RUNNER_CHILD_TEST(security_manager_26_hybrid_pkg_uninstall_artifacts_check)
+{
+ TemporaryTestUser testUser("sm_test_26_user_name", GUM_USERTYPE_NORMAL);
+ testUser.create();
+
+ const std::vector<std::string> allowedPrivs = {
+ "http://tizen.org/privilege/wifidirect",
+ "http://tizen.org/privilege/telephony"
+ };
+
+ AppInstallHelper app1("sm_test_26_1", "sm_test_26", testUser.getUid());
+ app1.addPrivileges(allowedPrivs);
+ app1.setHybrid();
+
+ AppInstallHelper app2("sm_test_26_2", "sm_test_26", testUser.getUid());
+ app2.addPrivileges(allowedPrivs);
+ app2.setHybrid();
+
+ {
+ ScopedInstaller appInstall1(app1);
+ ScopedInstaller appInstall2(app2);
+ check_app_permissions(app1.getAppId(), app1.getPkgId(), testUser.getUidString(),
+ allowedPrivs, {}, app1.getIsHybrid());
+ check_app_permissions(app2.getAppId(), app2.getPkgId(), testUser.getUidString(),
+ allowedPrivs, {}, app2.getIsHybrid());
+
+ }
+ check_app_permissions(app1.getAppId(), app1.getPkgId(), testUser.getUidString(),
+ {}, allowedPrivs, app1.getIsHybrid());
+ check_app_permissions(app2.getAppId(), app2.getPkgId(), testUser.getUidString(),
+ {}, allowedPrivs, app2.getIsHybrid());
+}
projects / platform / core / test / security-tests.git / blobdiff