#include <sys/capability.h>
#include <semaphore.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <attr/xattr.h>
static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
-static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
-static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
-static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
+static const char *const SM_RW_PATH = "/usr/apps/app_dir";
+static const char *const SM_RO_PATH = "/usr/apps/app_dir_public_ro";
+static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir";
+
static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
static const std::string EXEC_FILE("exec");
static const std::string NORMAL_FILE("normal");
}
};
-static void generateAppLabel(const std::string &pkgId, std::string &label)
+static std::string generateAppLabel(const std::string &appId)
{
- (void) pkgId;
- label = "User";
+ return "User::App::" + appId;
}
static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
return 0;
}
+// nftw doesn't allow passing user data to functions. Work around by using global variable
+static std::string nftw_expected_label;
+bool nftw_expected_transmute;
+bool nftw_expected_exec;
-static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
+static int nftw_check_sm_labels(const char *fpath, const struct stat *sb,
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
- return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
-}
-
-static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
-
- return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
+ return nftw_check_sm_labels_app_dir(fpath, sb,
+ nftw_expected_label.c_str(), nftw_expected_transmute, nftw_expected_exec);
}
static void prepare_app_path()
{
int result;
- result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
+ result = nftw(SM_RW_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RW_PATH);
- result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
+ result = nftw(SM_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RO_PATH);
result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
prepare_app_path();
}
-/* TODO: add parameters to this function */
-static void check_app_path_after_install()
+static void check_app_path_after_install(const char *appId)
{
int result;
- result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
+ nftw_expected_label = generateAppLabel(appId);
+ nftw_expected_transmute = false;
+ nftw_expected_exec = true;
- result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
+ result = nftw(SM_RW_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH);
+
+ nftw_expected_label = "User::Home";
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+
+ result = nftw(SM_RO_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH);
result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
const privileges_t &allowed_privs, const privileges_t &denied_privs)
{
- (void) app_id;
- std::string smackLabel;
- generateAppLabel(pkg_id, smackLabel);
+ (void) pkg_id;
+ std::string smackLabel = generateAppLabel(app_id);
CynaraTestClient::Client ctc;
requestInst.setPkgId(sm_pkg_id);
requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
- requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE);
- requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
+ requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
+ requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
Api::install(requestInst);
SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
/* TODO: add parameters to this function */
- check_app_path_after_install();
+ check_app_path_after_install(sm_app_id);
InstallRequest requestUninst;
requestUninst.setAppId(sm_app_id);
{
const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
- const char *const expected_label = USER_APP_ID;
const char *const socketLabel = "not_expected_label";
+ std::string expected_label = generateAppLabel(app_id);
char *label = nullptr;
CStringPtr labelPtr;
int result;
ssize_t size;
size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
- result = strcmp(expected_label, value);
+ result = expected_label.compare(value);
RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
expected_label << " Actual: " << value);
size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
- result = strcmp(expected_label, value);
+ result = expected_label.compare(value);
RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
expected_label << " Actual: " << value);
" Process label is not set");
labelPtr.reset(label);
- result = strcmp(expected_label, label);
+ result = expected_label.compare(label);
RUNNER_ASSERT_MSG(result == 0,
" Process label is incorrect. Expected: \"" << expected_label <<
"\" Actual: \"" << label << "\"");
//install app for non-root user
//should fail (users may only register folders inside their home)
prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH,
+ SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
requestUid ? user.getUid() : 0);
Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
//install app for non-root user
//should succeed - this time i register folder inside user's home dir
prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_PRIVATE, appDir.c_str(),
+ SECURITY_MANAGER_PATH_RW, appDir.c_str(),
requestUid ? user.getUid() : 0);
for (auto &privilege : SM_ALLOWED_PRIVILEGES)
test_user.create();
test_user.getUidString(uid_string);
+ removeTestDirs(test_user);
+ createTestDirs(test_user);
+
install_app(sm_app_id, sm_pkg_id, test_user.getUid());
check_app_after_install(sm_app_id, sm_pkg_id);
const char *const sm_app_id = "sm_test_08_app_id_user";
const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
- const char *const new_user_name = "sm_test_08_user_name";
+ const std::string new_user_name = "sm_test_08_user_name";
std::string uid_string;
// gumd user add
test_user.create();
test_user.getUidString(uid_string);
+ removeTestDirs(test_user);
+ createTestDirs(test_user);
+
addUserRequest.setUid(test_user.getUid());
addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
{
const char *const app_id = "security_manager_09_add_user_offline_app";
const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
- const std::string username("sm_test_09_user_name");
+ const std::string new_user_name("sm_test_09_user_name");
ServiceManager serviceManager("security-manager.service");
serviceManager.maskService();
serviceManager.stopService();
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
- user.create();
+ TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
+ test_user.create();
- install_app(app_id, pkg_id, user.getUid());
+ removeTestDirs(test_user);
+ createTestDirs(test_user);
+
+ install_app(app_id, pkg_id, test_user.getUid());
check_app_after_install(app_id, pkg_id);
serviceManager.unmaskService();
serviceManager.startService();
- user.remove();
+ test_user.remove();
check_app_after_uninstall(app_id, pkg_id, true);
}
-RUNNER_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
+RUNNER_MULTIPROCESS_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
{
//TEST DATA
const std::string username("sm_test_10_user_name");
};
}
-RUNNER_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
+RUNNER_MULTIPROCESS_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
};
}
-RUNNER_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
+RUNNER_MULTIPROCESS_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
};
}
-RUNNER_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
+RUNNER_MULTIPROCESS_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
};
}
-RUNNER_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
+RUNNER_MULTIPROCESS_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
- std::string smackLabel;
- generateAppLabel(update_app_id, smackLabel);
-
struct message {
uid_t uid;
gid_t gid;
//wait for child
RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
- std::string smackLabel;
- generateAppLabel(update_other_app_id, smackLabel);
-
struct message {
uid_t uid;
gid_t gid;
//wait for child
RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
- std::string smackLabel;
- generateAppLabel(update_app_id, smackLabel);
-
struct message {
uid_t uid;
gid_t gid;
//wait for child
RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
}
if(pid == 0)
}
}
-RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
+RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
{
const char *const update_app_id = "security_manager_17_update_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
- std::string smackLabel;
- generateAppLabel(update_app_id, smackLabel);
-
struct message {
uid_t uid;
gid_t gid;
//wait for child
RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
pid = fork();
//wait for child
waitpid(-1, &result, 0);
- admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
}
if(pid == 0)
}
}
-RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
+RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
{
const std::string username("sm_test_17_user_name");
}
}
+RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
+{
+ const int BUFFER_SIZE = 128;
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ char buf[BUFFER_SIZE];
+ } msg;
+
+ privileges_t admin_required_privs = {
+ "http://tizen.org/privilege/systemsettings.admin",
+ "http://tizen.org/privilege/systemsettings"};
+ privileges_t manifest_privs = {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/camera"};
+ privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
+ privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
+
+ const std::string pirivman_id = "sm_test_13_ADMIN_APP";
+ const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
+ const std::string app_id = "sm_test_13_SOME_APP";
+ const std::string pkg_id = "sm_test_13_SOME_PKG";
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ std::string childuidstr;
+ TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
+ TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
+
+ InstallRequest request,request2;
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ admin.create();
+ child.create();
+ child.getUidString(childuidstr);
+
+ //install privacy manager for admin
+ request.setAppId(pirivman_id.c_str());
+ request.setPkgId(pirivman_pkg_id.c_str());
+ request.setUid(admin.getUid());
+ for (auto &priv: admin_required_privs)
+ request.addPrivilege(priv.c_str());
+ Api::install(request);
+
+ //install app for child that has internet privilege
+ request2.setAppId(app_id.c_str());
+ request2.setPkgId(pkg_id.c_str());
+ request2.setUid(child.getUid());
+ for (auto &priv: manifest_privs)
+ request2.addPrivilege(priv.c_str());
+ Api::install(request2);
+
+ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+ manifest_privs, SM_NO_PRIVILEGES);
+
+ //send info to child
+ msg.uid = admin.getUid();
+ msg.gid = admin.getGid();
+ strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ //wait for child
+ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+ real_privs_allow, real_privs_deny);
+ }
+ if (pid == 0)//child
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(pirivman_id.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ PolicyRequest addPolicyReq;
+ //change rights
+ for (auto &denypriv:real_privs_deny) {
+ /*this entry will deny some privileges for user whose uid (as c string)
+ was sent in message's buf field.
+ That user would be denying internet for child in this case*/
+ PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
+ entry.setMaxLevel("Deny");
+ addPolicyReq.addEntry(entry);
+ }
+ Api::sendPolicy(addPolicyReq);
+ exit(0);
+ }
+}
+
int main(int argc, char *argv[])
{
return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
projects / platform / core / test / security-tests.git / blobdiff