projects / platform / core / test / security-tests.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Test scenario for denying some privileges to a user by admin
[platform/core/test/security-tests.git] / tests / security-manager-tests / security_manager_tests.cpp
diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp
index 8c98d9a..a342ea9 100644 (file)
--- a/tests/security-manager-tests/security_manager_tests.cpp
+++ b/tests/security-manager-tests/security_manager_tests.cpp
@@ -8,6 +8,9 @@
 #include <sys/capability.h>
 #include <semaphore.h>
 
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <attr/xattr.h>
@@ -33,6 +36,7 @@
 #include <cynara_test_client.h>
 #include <cynara_test_admin.h>
 #include <service_manager.h>
+#include <cynara_test_admin.h>
 
 using namespace SecurityManagerTest;
 
@@ -825,7 +829,7 @@ RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
     std::string uid_string;
     TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
     test_user.create();
-    uid_string =  std::to_string(static_cast<unsigned int>(test_user.getUid()));
+    test_user.getUidString(uid_string);
 
     install_app(sm_app_id, sm_pkg_id, test_user.getUid());
 
@@ -850,7 +854,7 @@ RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
     // gumd user add
     TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
     test_user.create();
-    uid_string =  std::to_string(static_cast<unsigned int>(test_user.getUid()));
+    test_user.getUidString(uid_string);
 
     addUserRequest.setUid(test_user.getUid());
     addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
@@ -1847,6 +1851,438 @@ RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get)
     }
 }
 
+RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
+{
+    const char *const update_app_id = "security_manager_17_update_app_id";
+    const char *const update_privilege = "http://tizen.org/privilege/led";
+    const char *const check_start_bucket = "";
+    const std::string username("sm_test_17_username");
+    PolicyRequest addPolicyRequest;
+    CynaraTestAdmin::Admin admin;
+
+    std::string smackLabel;
+    generateAppLabel(update_app_id, smackLabel);
+
+    struct message {
+        uid_t uid;
+        gid_t gid;
+    } msg;
+
+    int pipefd[2];
+    int pipefd2[2];
+    pid_t pid;
+    int result = 0;
+
+    RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+    RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
+
+    TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+    user.create();
+
+    pid = fork();
+    RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+    if (pid != 0)//parent process
+    {
+        FdUniquePtr pipeptr(pipefd+1);
+        close(pipefd[0]);
+
+        register_current_process_as_privilege_manager(user.getUid(), false);
+
+        //send info to child
+        msg.uid = user.getUid();
+        msg.gid = user.getGid();
+
+        ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+        RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+        //wait for child
+        RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+        admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+                std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
+
+        pid = fork();
+        if (pid != 0)//parent process
+        {
+            FdUniquePtr pipeptr(pipefd2+1);
+            close(pipefd2[0]);
+
+            //send info to child
+            msg.uid = user.getUid();
+            msg.gid = user.getGid();
+
+            ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
+            RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+            //wait for child
+            RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+            //wait for child
+            waitpid(-1, &result, 0);
+
+            admin.adminCheck(check_start_bucket, false, smackLabel.c_str(),
+                    std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
+        }
+        if(pid == 0)
+        {
+            FdUniquePtr pipeptr(pipefd2);
+            close(pipefd2[1]);
+
+            ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
+            RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+            //become admin privacy manager manager
+            Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+            result = drop_root_privileges(msg.uid, msg.gid);
+            RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+            // delete this entry
+            PolicyRequest deletePolicyRequest;
+            PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+            deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
+
+            deletePolicyRequest.addEntry(deleteEntry);
+            Api::sendPolicy(deletePolicyRequest);
+            exit(0);
+        }
+    }
+    if(pid == 0)
+    {
+        FdUniquePtr pipeptr(pipefd);
+        close(pipefd[1]);
+
+        ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+        RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+        //become admin privacy manager manager
+        Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+        result = drop_root_privileges(msg.uid, msg.gid);
+        RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+        PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+        entry.setLevel("Allow");
+
+        addPolicyRequest.addEntry(entry);
+        Api::sendPolicy(addPolicyRequest);
+        exit(0);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
+{
+    const std::string username("sm_test_17_user_name");
+
+    struct message {
+        uid_t uid;
+        gid_t gid;
+        unsigned int privileges_count;
+    } msg;
+
+    int pipefd[2];
+    pid_t pid;
+    int result = 0;
+
+    RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+    pid = fork();
+    RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+    if (pid != 0)//parent process
+    {
+        FdUniquePtr pipeptr(pipefd+1);
+        close(pipefd[0]);
+
+        TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
+        user.create();
+
+        unsigned int privileges_count = 0;
+
+        register_current_process_as_privilege_manager(user.getUid(), false);
+        //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
+        ++privileges_count;
+
+        for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
+            InstallRequest requestInst;
+            requestInst.setAppId(MANY_APPS[i].c_str());
+            requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str());
+            requestInst.setUid(user.getUid());
+
+            for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) {
+                requestInst.addPrivilege(priv.c_str());
+            };
+
+            Api::install(requestInst);
+            privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
+        };
+
+        //send info to child
+        msg.uid = user.getUid();
+        msg.gid = user.getGid();
+        msg.privileges_count = privileges_count;
+
+        ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+        RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+        //wait for child
+        RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+    }
+    if(pid == 0)
+    {
+        FdUniquePtr pipeptr(pipefd);
+        close(pipefd[1]);
+
+        ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+        RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+        //become admin privacy manager manager
+        Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+        result = drop_root_privileges(msg.uid, msg.gid);
+        RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+        // filter by privilege
+        std::vector<PolicyEntry> policyEntries;
+        PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
+        Api::getPolicy(filter, policyEntries);
+
+        RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+        RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
+
+        // filter by other privilege
+        policyEntries.clear();
+        PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
+        Api::getPolicy(filter2, policyEntries);
+
+        RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+        RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
+
+        // filter by appId
+        policyEntries.clear();
+        PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
+        Api::getPolicy(filter3, policyEntries);
+
+        RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+        RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_10_user_cynara_policy)
+{
+    const char *const MAIN_BUCKET = "MAIN";
+    const char *const MANIFESTS_BUCKET = "MANIFESTS";
+    const char *const ADMIN_BUCKET = "ADMIN";
+    const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
+    const std::string username("sm_test_10_user_cynara_policy");
+    CynaraTestAdmin::Admin admin;
+    std::string uid_string;
+    TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+    user.create();
+    user.getUidString(uid_string);
+
+    CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
+    nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
+    admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
+
+    user.remove();
+    CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
+
+    admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+    admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+    admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+    admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+}
+
+RUNNER_CHILD_TEST(security_manager_11_security_manager_cmd_install)
+{
+    int ret;
+    const int SUCCESS = 0;
+    const int FAILURE = 256;
+    const std::string app_id = "security_manager_10_app";
+    const std::string pkg_id = "security_manager_10_pkg";
+    const std::string username("sm_test_10_user_name");
+    std::string uid_string;
+    TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+    user.create();
+    user.getUidString(uid_string);
+    const std::string path1 = "/home/" + username + "/p1";
+    const std::string path2 = "/home/" + username + "/p2";
+    const std::string pkgopt = " --pkg=" + pkg_id;
+    const std::string appopt = " --app=" + app_id;
+    const std::string uidopt = " --uid=" + uid_string;
+
+    mkdir(path1.c_str(), 0);
+    mkdir(path2.c_str(), 0);
+
+    const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
+
+    struct operation {
+        std::string command;
+        int expected_result;
+    };
+    std::vector<struct operation> operations = {
+            {"security-manager-cmd", FAILURE},//no option
+            {"security-manager-cmd --blah", FAILURE},//blah option is not known
+            {"security-manager-cmd --help", SUCCESS},
+            {"security-manager-cmd --install", FAILURE},//no params
+            {"security-manager-cmd -i", FAILURE},//no params
+            {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
+            {installcmd, SUCCESS},
+            {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
+            {installcmd + " --path " + path1 + " private", SUCCESS},
+            {installcmd + " --path " + path1, FAILURE},//no path type
+            {installcmd + " --path " + path1 + " private" + " --path " + path2 + " private", SUCCESS},
+            {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " public", FAILURE},//wrong path type
+            {installcmd + " --path " + path1 + " private" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
+    };
+
+    for (auto &op : operations) {
+        ret = system(op.command.c_str());
+        RUNNER_ASSERT_MSG(ret == op.expected_result,
+                "Unexpected result for command '" << op.command <<"': "
+                << ret << " Expected was: "<< op.expected_result);
+    }
+}
+
+RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users)
+{
+    int ret;
+    const int SUCCESS = 0;
+    const int FAILURE = 256;
+    const std::string username("sm_test_11_user_name");
+    std::string uid_string;
+    TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+    user.create();
+    user.getUidString(uid_string);
+    const std::string uidopt = " --uid=" + uid_string;
+
+    struct operation {
+        std::string command;
+        int expected_result;
+    };
+    std::vector<struct operation> operations = {
+            {"security-manager-cmd --manage-users=remove", FAILURE},//no params
+            {"security-manager-cmd -m", FAILURE},//no params
+            {"security-manager-cmd -mr", FAILURE},//no uid
+            {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
+            {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
+            {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
+            {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
+            {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
+            {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
+            {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
+            {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
+    };
+
+    for (auto &op : operations) {
+        ret = system(op.command.c_str());
+        RUNNER_ASSERT_MSG(ret == op.expected_result,
+                "Unexpected result for command '" << op.command <<"': "
+                << ret << " Expected was: "<< op.expected_result);
+    }
+}
+
+RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
+{
+    const int BUFFER_SIZE = 128;
+    struct message {
+        uid_t uid;
+        gid_t gid;
+        char buf[BUFFER_SIZE];
+    } msg;
+
+    privileges_t admin_required_privs = {
+            "http://tizen.org/privilege/systemsettings.admin",
+            "http://tizen.org/privilege/systemsettings"};
+    privileges_t manifest_privs = {
+            "http://tizen.org/privilege/internet",
+            "http://tizen.org/privilege/camera"};
+    privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
+    privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
+
+    const std::string pirivman_id = "sm_test_13_ADMIN_APP";
+    const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
+    const std::string app_id = "sm_test_13_SOME_APP";
+    const std::string pkg_id = "sm_test_13_SOME_PKG";
+
+    int pipefd[2];
+    pid_t pid;
+    int result = 0;
+
+    RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+    pid = fork();
+    RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+    if (pid != 0)//parent process
+    {
+        std::string childuidstr;
+        TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
+        TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
+
+        InstallRequest request,request2;
+        FdUniquePtr pipeptr(pipefd+1);
+        close(pipefd[0]);
+
+        admin.create();
+        child.create();
+        child.getUidString(childuidstr);
+
+        //install privacy manager for admin
+        request.setAppId(pirivman_id.c_str());
+        request.setPkgId(pirivman_pkg_id.c_str());
+        request.setUid(admin.getUid());
+        for (auto &priv: admin_required_privs)
+            request.addPrivilege(priv.c_str());
+        Api::install(request);
+
+        //install app for child that has internet privilege
+        request2.setAppId(app_id.c_str());
+        request2.setPkgId(pkg_id.c_str());
+        request2.setUid(child.getUid());
+        for (auto &priv: manifest_privs)
+            request2.addPrivilege(priv.c_str());
+        Api::install(request2);
+
+        check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+                              manifest_privs, SM_NO_PRIVILEGES);
+
+        //send info to child
+        msg.uid = admin.getUid();
+        msg.gid = admin.getGid();
+        strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
+
+        ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+        RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+        //wait for child
+        RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+        check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+                              real_privs_allow, real_privs_deny);
+    }
+    if (pid == 0)//child
+    {
+        FdUniquePtr pipeptr(pipefd);
+        close(pipefd[1]);
+
+        ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+        RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+        //become admin privacy manager manager
+        Api::setProcessLabel(pirivman_id.c_str());
+        result = drop_root_privileges(msg.uid, msg.gid);
+        RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+        PolicyRequest addPolicyReq;
+        //change rights
+        for (auto &denypriv:real_privs_deny) {
+            /*this entry will deny some privileges for user whose uid (as c string)
+              was sent in message's buf field.
+              That user would be denying internet for child in this case*/
+            PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
+            entry.setMaxLevel("Deny");
+            addPolicyReq.addEntry(entry);
+        }
+        Api::sendPolicy(addPolicyReq);
+        exit(0);
+    }
+}
+
 int main(int argc, char *argv[])
 {
     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
Domain: Security / Uncategorized;