#include <sys/capability.h>
#include <semaphore.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <attr/xattr.h>
static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
-static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
-static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
-static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
+static const char *const SM_RW_PATH = "/usr/apps/app_dir";
+static const char *const SM_RO_PATH = "/usr/apps/app_dir_public_ro";
+static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir";
+
static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
static const std::string EXEC_FILE("exec");
static const std::string NORMAL_FILE("normal");
}
};
-static void generateAppLabel(const std::string &pkgId, std::string &label)
+static void generateAppLabel(const std::string &appId, std::string &label)
{
- (void) pkgId;
+ (void) appId;
label = "User";
}
}
-static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
+static int nftw_check_sm_labels_app_rw_dir(const char *fpath, const struct stat *sb,
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
}
-static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
+static int nftw_check_sm_labels_app_ro_dir(const char *fpath, const struct stat *sb,
int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
- return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
+ return nftw_check_sm_labels_app_dir(fpath, sb, "User::Home", true, false);
}
static void prepare_app_path()
{
int result;
- result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
+ result = nftw(SM_RW_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RW_PATH);
- result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
+ result = nftw(SM_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RO_PATH);
result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
{
int result;
- result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
+ result = nftw(SM_RW_PATH, &nftw_check_sm_labels_app_rw_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH);
- result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
+ result = nftw(SM_RO_PATH, &nftw_check_sm_labels_app_ro_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH);
result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
const privileges_t &allowed_privs, const privileges_t &denied_privs)
{
- (void) app_id;
+ (void) pkg_id;
std::string smackLabel;
- generateAppLabel(pkg_id, smackLabel);
+ generateAppLabel(app_id, smackLabel);
CynaraTestClient::Client ctc;
requestInst.setPkgId(sm_pkg_id);
requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
- requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE);
- requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
+ requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
+ requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
Api::install(requestInst);
//install app for non-root user
//should fail (users may only register folders inside their home)
prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH,
+ SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
requestUid ? user.getUid() : 0);
Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
//install app for non-root user
//should succeed - this time i register folder inside user's home dir
prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_PRIVATE, appDir.c_str(),
+ SECURITY_MANAGER_PATH_RW, appDir.c_str(),
requestUid ? user.getUid() : 0);
for (auto &privilege : SM_ALLOWED_PRIVILEGES)
std::string uid_string;
TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
test_user.create();
- uid_string = std::to_string(static_cast<unsigned int>(test_user.getUid()));
+ test_user.getUidString(uid_string);
+
+ removeTestDirs(test_user);
+ createTestDirs(test_user);
install_app(sm_app_id, sm_pkg_id, test_user.getUid());
const char *const sm_app_id = "sm_test_08_app_id_user";
const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
- const char *const new_user_name = "sm_test_08_user_name";
+ const std::string new_user_name = "sm_test_08_user_name";
std::string uid_string;
// gumd user add
TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
test_user.create();
- uid_string = std::to_string(static_cast<unsigned int>(test_user.getUid()));
+ test_user.getUidString(uid_string);
+
+ removeTestDirs(test_user);
+ createTestDirs(test_user);
addUserRequest.setUid(test_user.getUid());
addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
{
const char *const app_id = "security_manager_09_add_user_offline_app";
const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
- const std::string username("sm_test_09_user_name");
+ const std::string new_user_name("sm_test_09_user_name");
ServiceManager serviceManager("security-manager.service");
serviceManager.maskService();
serviceManager.stopService();
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
- user.create();
+ TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
+ test_user.create();
+
+ removeTestDirs(test_user);
+ createTestDirs(test_user);
- install_app(app_id, pkg_id, user.getUid());
+ install_app(app_id, pkg_id, test_user.getUid());
check_app_after_install(app_id, pkg_id);
serviceManager.unmaskService();
serviceManager.startService();
- user.remove();
+ test_user.remove();
check_app_after_uninstall(app_id, pkg_id, true);
}
-RUNNER_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
+RUNNER_MULTIPROCESS_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
{
//TEST DATA
const std::string username("sm_test_10_user_name");
};
}
-RUNNER_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
+RUNNER_MULTIPROCESS_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
};
}
-RUNNER_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
+RUNNER_MULTIPROCESS_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
};
}
-RUNNER_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
+RUNNER_MULTIPROCESS_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
};
}
-RUNNER_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
+RUNNER_MULTIPROCESS_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
{
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
}
}
-RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
+RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
{
const char *const update_app_id = "security_manager_17_update_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
}
}
-RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
+RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
{
const std::string username("sm_test_17_user_name");
const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
const std::string username("sm_test_10_user_cynara_policy");
CynaraTestAdmin::Admin admin;
+ std::string uid_string;
TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
user.create();
- std::string uid_string = std::to_string(static_cast<unsigned int>(user.getUid()));
+ user.getUidString(uid_string);
CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
const std::string app_id = "security_manager_10_app";
const std::string pkg_id = "security_manager_10_pkg";
const std::string username("sm_test_10_user_name");
+ std::string uid_string;
TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
user.create();
+ user.getUidString(uid_string);
const std::string path1 = "/home/" + username + "/p1";
const std::string path2 = "/home/" + username + "/p2";
const std::string pkgopt = " --pkg=" + pkg_id;
const std::string appopt = " --app=" + app_id;
- const std::string uidopt = " --uid=" + std::to_string(static_cast<unsigned int>(user.getUid()));
+ const std::string uidopt = " --uid=" + uid_string;
mkdir(path1.c_str(), 0);
mkdir(path2.c_str(), 0);
const int SUCCESS = 0;
const int FAILURE = 256;
const std::string username("sm_test_11_user_name");
+ std::string uid_string;
TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
user.create();
- const std::string uidopt = " --uid=" + std::to_string(static_cast<unsigned int>(user.getUid()));
+ user.getUidString(uid_string);
+ const std::string uidopt = " --uid=" + uid_string;
struct operation {
std::string command;
}
}
+RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
+{
+ const int BUFFER_SIZE = 128;
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ char buf[BUFFER_SIZE];
+ } msg;
+
+ privileges_t admin_required_privs = {
+ "http://tizen.org/privilege/systemsettings.admin",
+ "http://tizen.org/privilege/systemsettings"};
+ privileges_t manifest_privs = {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/camera"};
+ privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
+ privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
+
+ const std::string pirivman_id = "sm_test_13_ADMIN_APP";
+ const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
+ const std::string app_id = "sm_test_13_SOME_APP";
+ const std::string pkg_id = "sm_test_13_SOME_PKG";
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ std::string childuidstr;
+ TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
+ TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
+
+ InstallRequest request,request2;
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ admin.create();
+ child.create();
+ child.getUidString(childuidstr);
+
+ //install privacy manager for admin
+ request.setAppId(pirivman_id.c_str());
+ request.setPkgId(pirivman_pkg_id.c_str());
+ request.setUid(admin.getUid());
+ for (auto &priv: admin_required_privs)
+ request.addPrivilege(priv.c_str());
+ Api::install(request);
+
+ //install app for child that has internet privilege
+ request2.setAppId(app_id.c_str());
+ request2.setPkgId(pkg_id.c_str());
+ request2.setUid(child.getUid());
+ for (auto &priv: manifest_privs)
+ request2.addPrivilege(priv.c_str());
+ Api::install(request2);
+
+ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+ manifest_privs, SM_NO_PRIVILEGES);
+
+ //send info to child
+ msg.uid = admin.getUid();
+ msg.gid = admin.getGid();
+ strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ //wait for child
+ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+ real_privs_allow, real_privs_deny);
+ }
+ if (pid == 0)//child
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(pirivman_id.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ PolicyRequest addPolicyReq;
+ //change rights
+ for (auto &denypriv:real_privs_deny) {
+ /*this entry will deny some privileges for user whose uid (as c string)
+ was sent in message's buf field.
+ That user would be denying internet for child in this case*/
+ PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
+ entry.setMaxLevel("Deny");
+ addPolicyReq.addEntry(entry);
+ }
+ Api::sendPolicy(addPolicyReq);
+ exit(0);
+ }
+}
+
int main(int argc, char *argv[])
{
return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);