/*
- * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* limitations under the License.
*/
-// cstdlibg has to be included before attr/xattr
-#include <cstdlib>
-#include <attr/xattr.h>
+#include <linux/xattr.h>
#include <fstream>
#include <memory>
#include <regex>
#include <cynara-admin.h>
-#include <app_install_helper.h>
#include <cynara_test_admin.h>
#include <dpl/test/test_runner.h>
#include <label_generator.h>
#include <message_pipe.h>
#include <policy_configuration.h>
#include <scoped_installer.h>
-#include <scoped_label.h>
#include <service_manager.h>
#include <sm_api.h>
#include <sm_commons.h>
#include <tests_common.h>
#include <tzplatform.h>
#include <uds.h>
+#include <scoped_process_label.h>
+#include <scoped_app_launcher.h>
+#include <app_install_helper_ext.h>
+#include <privilege_names.h>
+#include <app_def_privilege.h>
using namespace SecurityManagerTest;
-
-namespace {
-std::vector<std::string> merge(const std::vector<std::string> &one, const std::vector<std::string> &two) {
- std::vector<std::string> sum;
- sum.reserve(one.size() + two.size());
- sum.insert(sum.end(), one.begin(), one.end());
- sum.insert(sum.end(), two.begin(), two.end());
- return sum;
-}
-}
+using namespace PrivilegeNames;
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
{
- AppInstallHelper app("sm_test_01a_app");
+ AppInstallHelperExt app("sm_test_01a_app");
{
ScopedInstaller appInstall(app);
- check_app_after_install(app.getAppId(), app.getPkgId());
+ app.checkAfterInstall();
{
ScopedInstaller appInstall2(app);
- check_app_after_install(app.getAppId(), app.getPkgId());
+ app.checkAfterInstall();
}
- check_app_after_uninstall(app.getAppId(), app.getPkgId());
+ app.checkAfterUninstall();
}
}
RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
{
- AppInstallHelper app("sm_test_01b");
+ AppInstallHelperExt app("sm_test_01b");
{
ScopedInstaller appInstall(app);
Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
- check_app_after_install(app.getAppId(), app.getPkgId());
+ app.checkAfterInstall();
}
- check_app_after_uninstall(app.getAppId(), app.getPkgId());
+ app.checkAfterUninstall();
}
RUNNER_TEST(security_manager_01c_app_uninstall_wrong_pkg_id)
{
- AppInstallHelper app("sm_test_01c");
+ AppInstallHelperExt app("sm_test_01c");
ScopedInstaller appInstall(app);
- check_app_after_install(app.getAppId(), app.getPkgId());
+ app.checkAfterInstall();
InstallRequest requestUninst;
requestUninst.setAppId(app.getAppId());
check_path(privateDir, generatePathRWLabel(pkgId));
check_path(privateRODir, generatePathROLabel(pkgId), false);
check_path(publicRODir, getPublicPathLabel());
- check_path(sharedRODir, generatePathSharedROLabel(pkgId));
+ check_path(sharedRODir, getSharedROPathLabel());
}
-RUNNER_TEST(security_manager_02_app_install_uninstall_full)
+RUNNER_CHILD_TEST(security_manager_02_app_install_uninstall_full)
{
- PolicyConfiguration policy;
- PolicyConfiguration::PrivGroupMap privGroupMap = policy.getPrivGroupMap();
-
- RUNNER_ASSERT_MSG(privGroupMap.size() >= 4, "Failed to get policy of a suitable size");
-
- privileges_t allowedPrivs;
- privileges_t someDeniedPrivs;
+ const PrivilegeVector defaultPrivs = {
+ PRIV_INTERNAL_AUDIO,
+ PRIV_INTERNAL_DISPLAY,
+ PRIV_INTERNAL_VIDEO,
+ };
+ const PrivilegeVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE};
+ const PrivilegeVector someDeniedPrivs = {PRIV_INTERNET, PRIV_EXTERNALSTORAGE};
- int counter = 0;
- for (auto const &it: privGroupMap) {
- if (counter < 2)
- allowedPrivs.push_back(it.first);
- else if (counter < 4)
- someDeniedPrivs.push_back(it.first);
- else
- break;
- ++counter;
- }
+ PrivilegeVector defaultAllowedPrivs = defaultPrivs;
+ defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
- AppInstallHelper app("sm_test_02");
+ AppInstallHelperExt app("sm_test_02");
app.createPrivateDir();
app.createPrivateRODir();
app.createPublicDir();
{
ScopedInstaller appInstall(app);
- check_app_after_install(app.getAppId(), app.getPkgId(),
- app.getPrivilegesNames(), someDeniedPrivs);
+ app.checkAfterInstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
+ {
+ ScopedAppLauncher launcher(app, [&]{ app.checkGroupPrivileges(defaultAllowedPrivs); });
+ }
check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
check_path(app.getPublicDir(), getPublicPathLabel());
- check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
+ check_path(app.getSharedRODir(), getSharedROPathLabel());
}
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivilegesNames());
+ app.checkAfterUninstall();
+}
+
+RUNNER_CHILD_TEST(security_manager_02a_set_process_groups)
+{
+ const PrivilegeVector defaultPrivs = {
+ PRIV_INTERNAL_AUDIO,
+ PRIV_INTERNAL_DISPLAY,
+ PRIV_INTERNAL_VIDEO,
+ };
+ const PrivilegeVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE};
+
+ auto defaultAllowedPrivs = defaultPrivs;
+ defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
+
+ AppInstallHelperExt app("sm_test_02a");
+ app.addPrivileges(allowedPrivs);
+ {
+ ScopedInstaller appInstall(app);
+
+ app.checkAfterInstall();
+
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+ if (pid != 0) {
+ waitPid(pid);
+ } else {
+ Api::setProcessGroups(app.getAppId());
+ app.checkGroupPrivileges(defaultAllowedPrivs);
+ exit(0);
+ }
+ }
+ app.checkAfterUninstall();
}
RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
{
- const std::vector<std::string> allowedPrivs = {
- "http://tizen.org/privilege/bluetooth",
- "http://tizen.org/privilege/power"
- };
- const std::vector<std::string> someDeniedPrivs = {
- "http://tizen.org/privilege/display",
- "http://tizen.org/privilege/nfc"
- };
+ const PrivilegeVector allowedPrivs = {PRIV_BLUETOOTH, PRIV_POWER};
+ const PrivilegeVector someDeniedPrivs = {PRIV_DISPLAY, PRIV_NFC};
TemporaryTestUser testUser("sm_test_04a_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- AppInstallHelper app("sm_test_04a", testUser.getUid());
+ AppInstallHelperExt app("sm_test_04a", testUser.getUid());
app.addPrivileges(allowedPrivs);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
"drop_root_privileges failed");
{
ScopedInstaller appInstall(app, false);
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
- allowedPrivs, someDeniedPrivs);
+ app.checkAfterInstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
}
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
- {}, merge(allowedPrivs, someDeniedPrivs));
+ app.checkAfterUninstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
}
RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) {
- const std::vector<std::string> allowedPrivs = {
- "http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/led"
- };
- const std::vector<std::string> someDeniedPrivs = {
- "http://tizen.org/privilege/location",
- "http://tizen.org/privilege/notification"
- };
+ const PrivilegeVector allowedPrivs = {PRIV_INTERNET, PRIV_LED};
+ const PrivilegeVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION};
TemporaryTestUser testUser("sm_test_04b_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- AppInstallHelper app("sm_test_04b", testUser.getUid());
+ AppInstallHelperExt app("sm_test_04b", testUser.getUid());
app.addPrivileges(allowedPrivs);
{
ScopedInstaller appInstall(app);
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
- allowedPrivs, someDeniedPrivs);
+ app.checkAfterInstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
"drop_root_privileges failed");
}
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
- {}, merge(allowedPrivs, someDeniedPrivs));
+ app.checkAfterUninstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
}
RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
// TODO - check if app is uninstalled properly
}
-RUNNER_TEST(security_manager_07a_user_add_app_install)
+RUNNER_CHILD_TEST(security_manager_07a_user_add_app_install)
{
- const std::vector<std::string> allowedPrivs = {
- "http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/led"
- };
- const std::vector<std::string> someDeniedPrivs = {
- "http://tizen.org/privilege/location",
- "http://tizen.org/privilege/notification"
- };
+ const PrivilegeVector allowedPrivs = {PRIV_INTERNET, PRIV_LED};
+ const PrivilegeVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION};
TemporaryTestUser testUser("sm_test_07a_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- AppInstallHelper app("sm_test_07a", testUser.getUid());
+ AppInstallHelperExt app("sm_test_07a", testUser.getUid());
app.addPrivileges(allowedPrivs);
InstallRequest req;
req.addPrivilege(priv);
}
Api::install(req);
-
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
- allowedPrivs, someDeniedPrivs);
+ app.checkAfterInstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
testUser.remove();
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
- {}, merge(allowedPrivs, someDeniedPrivs));
-
- // TODO - check if app is uninstalled
+ app.checkAfterUninstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
}
RUNNER_TEST(security_manager_07b_user_add_offline)
TemporaryTestUser testUser("sm_test_07b_user_name", GUM_USERTYPE_NORMAL, true);
testUser.create();
- AppInstallHelper app("sm_test_07b", testUser.getUid());
+ AppInstallHelperExt app("sm_test_07b", testUser.getUid());
ScopedInstaller appInstall(app);
serviceManager.startService();
- check_app_after_install(app.getAppId(), app.getPkgId());
+ app.checkAfterInstall();
testUser.remove();
- check_app_after_uninstall(app.getAppId(), app.getPkgId());
+ app.checkAfterUninstall();
}
RUNNER_TEST(security_manager_08_user_double_add_double_remove)
{
- std::vector<std::string> somePrivs = {
- "http://tizen.org/privilege/internet", "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/location", "http://tizen.org/privilege/notification"
- };
+ const PrivilegeVector somePrivs = {PRIV_LED, PRIV_NOTIFICATION};
+
// gumd
TemporaryTestUser testUser("sm_test_08_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
Api::addUser(addUserRequest);
- AppInstallHelper app("sm_test_08", testUser.getUid());
+ AppInstallHelperExt app("sm_test_08", testUser.getUid());
ScopedInstaller appInstall(app);
- check_app_after_install(app.getAppId(), app.getPkgId());
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(), {}, somePrivs);
+ app.checkAfterInstall();
+ app.checkDeniedPrivileges(somePrivs);
// gumd
testUser.remove();
- check_app_after_uninstall(app.getAppId(), app.getPkgId());
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(), {}, somePrivs);
+ app.checkAfterUninstall();
// security-manager
UserRequest deleteUserRequest;
RUNNER_TEST(security_manager_09_app_install_constraint_check)
{
- auto install = [](const TemporaryTestUser& user,
- const char *pkgId,
- const char *appId,
- const char *version,
- const char *author,
- bool isHybrid,
- enum lib_retcode expected,
- bool uninstall = true)
+ auto install = [](const AppInstallHelperExt& app, bool success)
{
- InstallRequest request;
- request.setAppId(appId);
- request.setPkgId(pkgId);
- request.setAppTizenVersion(version);
- request.setAuthorId(author);
- request.setUid(user.getUid());
- if (isHybrid)
- request.setHybrid();
- Api::install(request, expected);
-
- if(expected == SECURITY_MANAGER_SUCCESS && uninstall) {
- Api::uninstall(request);
- }
+ auto expected = success ? SECURITY_MANAGER_SUCCESS : SECURITY_MANAGER_ERROR_INPUT_PARAM;
+ ScopedInstaller appInstall(app, true, expected);
+ if (success)
+ app.checkAfterInstall();
+ return appInstall;
};
- auto update = [](const TemporaryTestUser& user,
- const char *pkgId,
- const char *appId,
- const char *version,
- const char *author,
- bool isHybrid,
- enum lib_retcode expected,
- bool uninstall = true)
+ auto update = [](const AppInstallHelperExt& app)
{
InstallRequest request;
- request.setAppId(appId);
- request.setPkgId(pkgId);
- request.setAppTizenVersion(version);
- request.setAuthorId(author);
- request.setUid(user.getUid());
- if (isHybrid)
+ request.setAppId(app.getAppId());
+ request.setPkgId(app.getPkgId());
+ request.setAppTizenVersion(app.getVersion());
+ request.setAuthorId(app.getAuthor());
+ request.setUid(app.getUID());
+ if (app.getIsHybrid())
request.setHybrid();
- Api::update(request, expected);
-
- if(expected == SECURITY_MANAGER_SUCCESS && uninstall) {
- Api::uninstall(request);
- }
+ Api::update(request);
};
- std::vector<TemporaryTestUser> users = {
- {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
- {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
+ TemporaryTestUser users[] = {
+ {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
+ {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
};
- for(auto& gu : users)
+ for (auto& gu : users)
gu.create();
- const char *const pkgId[] = {"sm_test_09_pkg_id_0", "sm_test_09_pkg_id_1"};
- const char *const appId[] = {"sm_test_09_app_id_0", "sm_test_09_app_id_1"};
- const char *const version[] = {"sm_test_09_version_0", "sm_test_09_version_1"};
- const char *const author[] = {"sm_test_09_author_0", "sm_test_09_author_1"};
+ const char *const pkgIdPrefix[] = {"sm_test_09_0", "sm_test_09_1"};
+ const char *const appIdPrefix[] = {"sm_test_09_0", "sm_test_09_1"};
+ const char *const version[] = {"sm_test_09_0_version", "sm_test_09_1_version"};
+ const char *const author[] = {"sm_test_09_0_author", "sm_test_09_1_author"};
bool hybrid[] = {false, true};
- // uid_0, pkg_0, app_0, version_0, author_0, not hybrid
- install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
+ std::list<AppInstallHelperExt> apps;
+
+ auto make_helper = [&](size_t userIdx,
+ size_t pkgIdx,
+ size_t appIdx,
+ size_t verIdx,
+ size_t authorIdx,
+ size_t hybridIdx) -> AppInstallHelperExt&
+ {
+ apps.emplace_back(appIdPrefix[appIdx], pkgIdPrefix[pkgIdx], users[userIdx].getUid());
+ apps.back().setAuthor(author[authorIdx]);
+ apps.back().setVersion(version[verIdx]);
+ if (hybrid[hybridIdx])
+ apps.back().setHybrid();
+ return apps.back();
+ };
+
+ // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok
+ auto &app000000 = make_helper(0, 0, 0, 0, 0, 0);
+ auto i1 = install(app000000, true);
+
// uid_1, pkg_0, app_0, version_0, author_0, not hybrid -> ok (different uid)
- install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
- // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok for update (different hybrid setting)
- install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- update(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
+ auto& app100000 = make_helper(1, 0, 0, 0, 0, 0);
+ install(app100000, true);
+
+ // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> conflicts with existing non hybrid app
+ auto& app000001 = make_helper(0, 0, 0, 0, 0, 1);
+ install(app000001, false);
+
+ // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok (app updated to hybrid)
+ update(app000001);
+
+ // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok (app installed again)
+ auto i2 = install(app000001, true);
+
+ // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> conflicts with existing hybrid app
+ install(app000000, false);
+
// uid_0, pkg_0, app_1, version_0, author_0, hybrid -> ok (new app id)
- install(users[0], pkgId[0], appId[1], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
- // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> ok (different hybrid setting)
- install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
- // uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> fail (author of app_0 must be the same)
- install(users[1], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (version upgrade and different hybrid setting)
- install(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- update(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
- // uid_1, pkg_1, app_0, version_0, author_0, not hybrid -> fail (pkg of app_0 must be the same)
- install(users[1], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok (the same app again)
- install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
- // uid_0, pkg_1, app_0, version_0, author_0, not hybrid -> fail (app_name + uid must be unique)
- install(users[0], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_0, author_1, not hybrid -> fail (app_name + uid must be unique)
- install(users[0], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ auto& app001001 = make_helper(0, 0, 1, 0, 0, 1);
+ auto i3 = install(app001001, true);
+
+ // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> ok (hybrid, different uid)
+ auto& app100001 = make_helper(1, 0, 0, 0, 0, 1);
+ auto i4 = install(app100001, true);
+
+ // uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> author of app_0 must be the same
+ auto& app100010 = make_helper(1, 0, 0, 0, 1, 0);
+ install(app100010, false);
+
+ // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (app version and hybridity changed)
+ auto& app100100 = make_helper(1, 0, 0, 1, 0, 0);
+ update(app100100);
+
+ // uid_1, pkg_1, app_0, version_1, author_0, not hybrid -> pkg of app_0 must be the same
+ auto& app110100 = make_helper(1, 1, 0, 1, 0, 0);
+ install(app110100, false);
+
+ for (auto& gu : users)
+ gu.remove();
+
+ RUNNER_IGNORED_MSG("Disabled until hybridity update works properly for all users");
+ for (auto& app : apps)
+ app.checkAfterUninstall();
+}
+
+RUNNER_TEST(security_manager_09a_install_many_apps_in_single_request)
+{
+ constexpr char pkgIdPrefix[] = "sm_test_09a";
+ const AppInstallHelperExt apps[] = {{"sm_test_09a_0", pkgIdPrefix},
+ {"sm_test_09a_1", pkgIdPrefix},
+ {"sm_test_09a_2", pkgIdPrefix}};
+ static_assert(sizeof(apps) > 0);
+
+ std::vector<std::string> appIds;
+ for (auto &app : apps)
+ appIds.push_back(app.getAppId());
+
+ {
+ ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
+ // Installing many applications in single request
+ for (auto &app : apps) {
+ app.checkAfterInstall();
+ }
+ }
+
+ for (auto &app : apps) {
+ app.checkAfterUninstall();
+ }
+}
+
+RUNNER_TEST(security_manager_09b_install_many_apps_in_single_request_duplicated_ids)
+{
+ AppInstallHelperExt app("sm_test_09b");
+ {
+ ScopedInstaller appsInstall({app.getAppId(), app.getAppId()}, app.getPkgId());
+ app.checkAfterInstall();
+ }
+
+ app.checkAfterUninstall();
+}
+
+RUNNER_TEST(security_manager_09c_update_many_apps_in_single_request_hybrid_package)
+{
+ constexpr char pkgIdPrefix[] = "sm_test_09c";
+ AppInstallHelperExt apps[] = {{"sm_test_09c_0", pkgIdPrefix},
+ {"sm_test_09c_1", pkgIdPrefix},
+ {"sm_test_09c_2", pkgIdPrefix}};
+ static_assert(sizeof(apps) > 0);
+
+ std::vector<std::string> appIds;
+ for (const auto &app : apps)
+ appIds.push_back(app.getAppId());
+
+ {
+ ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
+ // Package is not hybrid, every app has same policy.
+ for (const auto &app : apps) {
+ app.checkAfterInstall();
+ }
+
+ // Updating package -- changing set of apps in package and setting hybrid mode
+ InstallRequest updateRequest;
+ updateRequest.setPkgId(apps[0].getPkgId());
+ updateRequest.setAppId(appIds[0]);
+ updateRequest.nextApp();
+ updateRequest.setAppId(appIds[1]);
+ updateRequest.setHybrid();
+
+ Api::update(updateRequest);
+
+ // Package became hybrid, so every app has its own Smack label
+ for (auto &app : apps) {
+ app.setHybrid();
+ }
+ apps[0].checkAfterInstall();
+ apps[1].checkAfterInstall();
+
+ // Package became hybrid properly,
+ // so app not included in updated version of package was uninstalled.
+ apps[2].checkAfterUninstall(false);
+ }
+
+ for (const auto &app : apps) {
+ app.checkAfterUninstall();
+ }
+}
+
+RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package)
+{
+ constexpr char pkgIdPrefix[] = "sm_test_09d";
+ AppInstallHelperExt apps[] = {{"sm_test_09d_0", pkgIdPrefix},
+ {"sm_test_09d_1", pkgIdPrefix},
+ {"sm_test_09d_2", pkgIdPrefix}};
+ static_assert(sizeof(apps) > 0);
+
+ std::vector<std::string> appIds;
+ for (const auto &app : apps)
+ appIds.push_back(app.getAppId());
+
+ {
+ ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
+
+ InstallRequest updateRequest;
+ updateRequest.setPkgId(apps[0].getPkgId());
+ for (unsigned int i = 0; i < appIds.size(); i++) {
+ if (i > 0) {
+ updateRequest.nextApp();
+ }
+ updateRequest.setAppId(appIds[i]);
+ }
+ updateRequest.setHybrid();
+ Api::update(updateRequest);
+
+ InstallRequest uninstRequest;
+ uninstRequest.setPkgId(apps[0].getPkgId());
+ uninstRequest.setAppId(appIds[0]);
+ Api::uninstall(uninstRequest);
+
+ for (auto &app : apps) {
+ app.setHybrid();
+ }
+ apps[0].checkAfterUninstall(false);
+ }
+ for (const auto &app : apps) {
+ app.checkAfterUninstall();
+ }
}
RUNNER_CHILD_TEST(security_manager_10_app_has_privilege)
{
- const std::vector<std::string> allowedPrivs = {
- "http://tizen.org/privilege/wifidirect",
- "http://tizen.org/privilege/telephony"
- };
- const std::vector<std::string> someDeniedPrivs = {
- "http://tizen.org/privilege/vpnservice",
- "http://tizen.org/privilege/notification"
- };
- AppInstallHelper app("sm_test_10");
+ const PrivilegeVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY};
+ const PrivilegeVector someDeniedPrivs = {PRIV_VPNSERVICE, PRIV_NOTIFICATION};
+
+ AppInstallHelperExt app("sm_test_10");
app.addPrivileges(allowedPrivs);
ScopedInstaller appInstall(app);
- sm_app_has_privileges(app, allowedPrivs, 1);
+ app.checkAfterInstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
// FIXME - all other existing privileges should be checked
- sm_app_has_privileges(app, someDeniedPrivs, 0);
}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY)
RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
{
- const privileges_t adminRequiredPrivs = {
- "http://tizen.org/privilege/notexist",
- "http://tizen.org/privilege/internal/usermanagement"
- };
- const privileges_t manifestPrivs = {
- "http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/datasharing"
- };
- const privileges_t allowedPrivsAfterChange = {"http://tizen.org/privilege/datasharing"};
- const privileges_t deniedPrivsAfterChange = {"http://tizen.org/privilege/internet"};
+ const PrivilegeVector adminRequiredPrivs = {PRIV_NOTEXIST, PRIV_INTERNAL_USERMANAGEMENT};
+ const PrivilegeVector manifestPrivs = {PRIV_INTERNET, PRIV_DATASHARING};
+ const PrivilegeVector allowedPrivsAfterChange = {PRIV_DATASHARING};
+ const PrivilegeVector deniedPrivsAfterChange = {PRIV_INTERNET};
+
TemporaryTestUser adminUser("sm_test_21_admin_user_name", GUM_USERTYPE_ADMIN, false);
TemporaryTestUser normalUser("sm_test_21_normal_user_name", GUM_USERTYPE_NORMAL, false);
adminUser.create();
normalUser.create();
- std::string childUidStr = normalUser.getUidString();
AppInstallHelper adminApp("sm_test_21_admin", adminUser.getUid());
adminApp.addPrivileges(adminRequiredPrivs);
ScopedInstaller adminAppInstall(adminApp);
- AppInstallHelper normalApp("sm_test_21_normal", normalUser.getUid());
+ AppInstallHelperExt normalApp("sm_test_21_normal", normalUser.getUid());
normalApp.addPrivileges(manifestPrivs);
ScopedInstaller normalAppInstall(normalApp);
-
- check_app_permissions(normalApp.getAppId(), normalApp.getPkgId(), childUidStr,
- manifestPrivs, {});
+ normalApp.checkAfterInstall();
pid_t pid = fork();
RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
if (pid != 0) { //parent process
waitPid(pid);
- check_app_permissions(normalApp.getAppId(), normalApp.getPkgId(), childUidStr,
- allowedPrivsAfterChange, deniedPrivsAfterChange);
+ normalApp.checkPrivileges(allowedPrivsAfterChange, deniedPrivsAfterChange);
} else {
Api::setProcessLabel(adminApp.getAppId());
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(),adminUser.getGid()) == 0,
PolicyRequest addPolicyReq;
for (auto &deniedPriv : deniedPrivsAfterChange) {
PolicyEntry entry(SECURITY_MANAGER_ANY, normalUser.getUidString(), deniedPriv);
- entry.setMaxLevel("Deny");
+ entry.setMaxLevel(PolicyEntry::LEVEL_DENY);
addPolicyReq.addEntry(entry);
}
Api::sendPolicy(addPolicyReq);
const std::string appopt = " --app=" + app_id;
const std::string uidopt = " --uid=" + user.getUidString();
- mktreeSafe(path1.c_str(), 0);
- mktreeSafe(path2.c_str(), 0);
+ mktreeSafe(path1, 0);
+ mktreeSafe(path2, 0);
const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
RUNNER_TEST(security_manager_25a_global_user_set_install_type_global)
{
- AppInstallHelper app("sm_test_25a");
+ AppInstallHelperExt app("sm_test_25a");
app.setInstallType(SM_APP_INSTALL_GLOBAL);
{
ScopedInstaller appInstall(app);
- check_app_after_install(app.getAppId(), app.getPkgId());
+ app.checkAfterInstall();
}
// Check records in the security-manager database
- check_app_after_uninstall(app.getAppId(), app.getPkgId());
+ app.checkAfterUninstall();
}
RUNNER_TEST(security_manager_25b_global_user_set_install_type_local)
RUNNER_TEST(security_manager_25c_global_user_set_install_type_preloaded)
{
- AppInstallHelper app("sm_test_25c");
+ AppInstallHelperExt app("sm_test_25c");
app.setInstallType(SM_APP_INSTALL_PRELOADED);
{
ScopedInstaller appInstall(app);
- check_app_after_install(app.getAppId(), app.getPkgId());
+ app.checkAfterInstall();
}
- check_app_after_uninstall(app.getAppId(), app.getPkgId());
+ app.checkAfterUninstall();
}
RUNNER_TEST(security_manager_25d_local_user_set_install_type_invalid)
*/
RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
{
+ RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
+
TemporaryTestUser testUser("sm_test_25e_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
AppInstallHelper app("sm_test_25e");
- change_label("_");
+ ScopedProcessLabel spl("_", false);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
"drop_root_privileges failed");
RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
{
+ RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
+
TemporaryTestUser testUser("sm_test_25f_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
AppInstallHelper app("sm_test_25f");
- change_label("_");
+ ScopedProcessLabel spl("_", false);
RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
"drop_root_privileges failed");
InstallRequest invalidReq;
Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
}
-
RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local)
{
- std::vector<std::string> allowedPrivs = {
- "http://tizen.org/privilege/volume.set",
- "http://tizen.org/privilege/systemmonitor",
- "http://tizen.org/privilege/internet"
- };
- std::vector<std::string> someDeniedPrivs = {
- "http://tizen.org/privilege/push",
- "http://tizen.org/privilege/power",
- "http://tizen.org/privilege/notification"
- };
+ const PrivilegeVector allowedPrivs = {PRIV_VOLUME_SET, PRIV_SYSTEMMONITOR, PRIV_INTERNET};
+ const PrivilegeVector someDeniedPrivs = {PRIV_PUSH, PRIV_POWER, PRIV_NOTIFICATION};
TemporaryTestUser testUser("sm_test_25g_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- AppInstallHelper app("sm_test_25g", testUser.getUid());
+ AppInstallHelperExt app("sm_test_25g", testUser.getUid());
app.createPrivateDir();
app.setInstallType(SM_APP_INSTALL_LOCAL);
app.addPrivileges(allowedPrivs);
"drop_root_privileges failed");
{
ScopedInstaller appInstall(app);
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
- allowedPrivs, someDeniedPrivs);
-
+ app.checkAfterInstall();
+ app.checkDeniedPrivileges(someDeniedPrivs);
}
- check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
- {}, merge(allowedPrivs, someDeniedPrivs));
- // TODO - check if app is properly uninstalled
+ app.checkAfterUninstall();
}
RUNNER_CHILD_TEST(security_manager_25h_local_path_global_install)
Api::install(invalidReq, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
}
+RUNNER_CHILD_TEST(security_manager_26_hybrid_pkg_uninstall_artifacts_check)
+{
+ TemporaryTestUser testUser("sm_test_26_user_name", GUM_USERTYPE_NORMAL);
+ testUser.create();
+
+ const PrivilegeVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY};
+
+ AppInstallHelperExt app1("sm_test_26_1", "sm_test_26", testUser.getUid());
+ app1.addPrivileges(allowedPrivs);
+ app1.setHybrid();
+
+ AppInstallHelperExt app2("sm_test_26_2", "sm_test_26", testUser.getUid());
+ app2.addPrivileges(allowedPrivs);
+ app2.setHybrid();
+
+ {
+ ScopedInstaller appInstall1(app1);
+ ScopedInstaller appInstall2(app2);
+ app1.checkAfterInstall();
+ app2.checkAfterInstall();
+
+ }
+ app1.checkAfterUninstall(false);
+ app2.checkAfterUninstall();
+}