X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Fsecurity-manager-tests%2Fsecurity_manager_tests.cpp;h=7a23d2c36c446b98f9b61502c45f9b6c6ba57046;hb=bd96d248691c187baf49f63e88390253833dfc33;hp=82953f07d2905f171dc210a848be01a280b0472d;hpb=e8fcfaae1458a26116b9b5b926af2acef0375b80;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index 82953f0..7a23d2c 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -1,3 +1,4 @@ +#include #include #include #include @@ -5,12 +6,20 @@ #include #include #include +#include +#include +#include +#include #include #include #include #include +#include +#include +#include + #include #include @@ -25,7 +34,9 @@ #include #include #include +#include #include +#include using namespace SecurityManagerTest; @@ -47,18 +58,68 @@ static const privileges_t SM_NO_PRIVILEGES = { static const std::vector SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"}; -static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir"; -static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro"; -static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir"; +static const char *const SM_RW_PATH = "/usr/apps/app_dir"; +static const char *const SM_RO_PATH = "/usr/apps/app_dir_public_ro"; +static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir"; + static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/ static const std::string EXEC_FILE("exec"); static const std::string NORMAL_FILE("normal"); static const std::string LINK_PREFIX("link_to_"); -static void generateAppLabel(const std::string &pkgId, std::string &label) +static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager"; +static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager"; +static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings"; +static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin"; + +static const std::vector MANY_APPS = { + "security_manager_10_app_1", + "security_manager_10_app_2", + "security_manager_10_app_3", + "security_manager_10_app_4", + "security_manager_10_app_5" +}; + +static const std::map MANY_APPS_PKGS = { + {"security_manager_10_app_1", "security_manager_10_pkg_1"}, + {"security_manager_10_app_2", "security_manager_10_pkg_2"}, + {"security_manager_10_app_3", "security_manager_10_pkg_3"}, + {"security_manager_10_app_4", "security_manager_10_pkg_4"}, + {"security_manager_10_app_5", "security_manager_10_pkg_5"}, + {PRIVILEGE_MANAGER_APP, PRIVILEGE_MANAGER_PKG} +}; + +static const std::vector MANY_APPS_PRIVILEGES = { + { + "http://tizen.org/privilege/internet", + "http://tizen.org/privilege/location" + }, + { + "http://tizen.org/privilege/telephony", + "http://tizen.org/privilege/camera" + }, + { + "http://tizen.org/privilege/contact.read", + "http://tizen.org/privilege/led", + "http://tizen.org/privilege/email" + }, + { + "http://tizen.org/privilege/led", + "http://tizen.org/privilege/email", + "http://tizen.org/privilege/telephony", + "http://tizen.org/privilege/camera" + }, + { + "http://tizen.org/privilege/internet", + "http://tizen.org/privilege/location", + "http://tizen.org/privilege/led", + "http://tizen.org/privilege/email" + } +}; + +static std::string generateAppLabel(const std::string &appId) { - (void) pkgId; - label = "User"; + return "User::App::" + appId; } static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb, @@ -107,29 +168,27 @@ static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb return 0; } +// nftw doesn't allow passing user data to functions. Work around by using global variable +static std::string nftw_expected_label; +bool nftw_expected_transmute; +bool nftw_expected_exec; -static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb, +static int nftw_check_sm_labels(const char *fpath, const struct stat *sb, int /*typeflag*/, struct FTW* /*ftwbuf*/) { - return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true); -} - -static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb, - int /*typeflag*/, struct FTW* /*ftwbuf*/) -{ - - return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false); + return nftw_check_sm_labels_app_dir(fpath, sb, + nftw_expected_label.c_str(), nftw_expected_transmute, nftw_expected_exec); } static void prepare_app_path() { int result; - result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH); + result = nftw(SM_RW_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RW_PATH); - result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH); + result = nftw(SM_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RO_PATH); result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH); @@ -140,16 +199,23 @@ static void prepare_app_env() prepare_app_path(); } -/* TODO: add parameters to this function */ -static void check_app_path_after_install() +static void check_app_path_after_install(const char *appId) { int result; - result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH); + nftw_expected_label = generateAppLabel(appId); + nftw_expected_transmute = false; + nftw_expected_exec = true; + + result = nftw(SM_RW_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH); - result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH); + nftw_expected_label = "User::Home"; + nftw_expected_transmute = true; + nftw_expected_exec = false; + + result = nftw(SM_RO_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH); result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS); RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH); @@ -159,9 +225,8 @@ static void check_app_path_after_install() static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user, const privileges_t &allowed_privs, const privileges_t &denied_privs) { - (void) app_id; - std::string smackLabel; - generateAppLabel(pkg_id, smackLabel); + (void) pkg_id; + std::string smackLabel = generateAppLabel(app_id); CynaraTestClient::Client ctc; @@ -278,6 +343,40 @@ static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pk check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed); } +static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false) +{ + InstallRequest request; + request.setAppId(PRIVILEGE_MANAGER_APP.c_str()); + request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str()); + request.setUid(uid); + request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str()); + if (forAdmin) + request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str()); + Api::install(request); + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); +}; + +static inline struct passwd *getUserStruct(const std::string &userName) { + struct passwd *pw = nullptr; + errno = 0; + + while(!(pw = getpwnam(userName.c_str()))) { + RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed"); + }; + + return pw; +}; + +static inline struct passwd *getUserStruct(const uid_t uid) { + struct passwd *pw = nullptr; + errno = 0; + + while(!(pw = getpwuid(uid))) { + RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed"); + }; + + return pw; +}; RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER) @@ -378,8 +477,8 @@ RUNNER_TEST(security_manager_02_app_install_uninstall_full) requestInst.setPkgId(sm_pkg_id); requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str()); requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str()); - requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE); - requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO); + requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW); + requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO); Api::install(requestInst); @@ -388,7 +487,7 @@ RUNNER_TEST(security_manager_02_app_install_uninstall_full) SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS); /* TODO: add parameters to this function */ - check_app_path_after_install(); + check_app_path_after_install(sm_app_id); InstallRequest requestUninst; requestUninst.setAppId(sm_app_id); @@ -405,8 +504,8 @@ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) { const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack"; const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack"; - const char *const expected_label = USER_APP_ID; const char *const socketLabel = "not_expected_label"; + std::string expected_label = generateAppLabel(app_id); char *label = nullptr; CStringPtr labelPtr; int result; @@ -439,13 +538,13 @@ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) ssize_t size; size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value)); RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value); - result = strcmp(expected_label, value); + result = expected_label.compare(value); RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " << expected_label << " Actual: " << value); size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value)); RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value); - result = strcmp(expected_label, value); + result = expected_label.compare(value); RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " << expected_label << " Actual: " << value); @@ -456,7 +555,7 @@ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) " Process label is not set"); labelPtr.reset(label); - result = strcmp(expected_label, label); + result = expected_label.compare(label); RUNNER_ASSERT_MSG(result == 0, " Process label is incorrect. Expected: \"" << expected_label << "\" Actual: \"" << label << "\""); @@ -546,7 +645,7 @@ static void install_and_check(const char *const sm_app_id, //install app for non-root user //should fail (users may only register folders inside their home) prepare_request(requestPrivate, sm_app_id, sm_pkg_id, - SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH, + SECURITY_MANAGER_PATH_RW, SM_RW_PATH, requestUid ? user.getUid() : 0); Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED); @@ -556,7 +655,7 @@ static void install_and_check(const char *const sm_app_id, //install app for non-root user //should succeed - this time i register folder inside user's home dir prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id, - SECURITY_MANAGER_PATH_PRIVATE, appDir.c_str(), + SECURITY_MANAGER_PATH_RW, appDir.c_str(), requestUid ? user.getUid() : 0); for (auto &privilege : SM_ALLOWED_PRIVILEGES) @@ -734,7 +833,10 @@ RUNNER_CHILD_TEST(security_manager_07_user_add_app_install) std::string uid_string; TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); test_user.create(); - uid_string = std::to_string(static_cast(test_user.getUid())); + test_user.getUidString(uid_string); + + removeTestDirs(test_user); + createTestDirs(test_user); install_app(sm_app_id, sm_pkg_id, test_user.getUid()); @@ -753,13 +855,16 @@ RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove) const char *const sm_app_id = "sm_test_08_app_id_user"; const char *const sm_pkg_id = "sm_test_08_pkg_id_user"; - const char *const new_user_name = "sm_test_08_user_name"; + const std::string new_user_name = "sm_test_08_user_name"; std::string uid_string; // gumd user add TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); test_user.create(); - uid_string = std::to_string(static_cast(test_user.getUid())); + test_user.getUidString(uid_string); + + removeTestDirs(test_user); + createTestDirs(test_user); addUserRequest.setUid(test_user.getUid()); addUserRequest.setUserType(SM_USER_TYPE_NORMAL); @@ -787,26 +892,1398 @@ RUNNER_CHILD_TEST(security_manager_09_add_user_offline) { const char *const app_id = "security_manager_09_add_user_offline_app"; const char *const pkg_id = "security_manager_09_add_user_offline_pkg"; - const std::string username("sm_test_09_user_name"); + const std::string new_user_name("sm_test_09_user_name"); ServiceManager serviceManager("security-manager.service"); serviceManager.maskService(); serviceManager.stopService(); - TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); - user.create(); + TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true); + test_user.create(); + + removeTestDirs(test_user); + createTestDirs(test_user); - install_app(app_id, pkg_id, user.getUid()); + install_app(app_id, pkg_id, test_user.getUid()); check_app_after_install(app_id, pkg_id); serviceManager.unmaskService(); serviceManager.startService(); - user.remove(); + test_user.remove(); check_app_after_uninstall(app_id, pkg_id, true); } +RUNNER_MULTIPROCESS_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self) +{ + //TEST DATA + const std::string username("sm_test_10_user_name"); + unsigned int privileges_count = 0; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + MANY_APPS.at(i), std::set( + MANY_APPS_PRIVILEGES.at(i).begin(), + MANY_APPS_PRIVILEGES.at(i).end()))); + privileges_count+=MANY_APPS_PRIVILEGES.at(i).size(); + }; + + apps2PrivsMap.insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); + ++privileges_count; + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + //TEST DATA END + + sem_t *mutex; + errno = 0; + RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno); + errno = 0; + RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno); + pid_t pid = fork(); + + if (pid != 0) { //parent process + TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false); + tmpUser.create(); + + for(const auto &user : users2AppsMap) { + + for(const auto &app : user.second) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(tmpUser.getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + + //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str()); + }; + //Start child process + errno = 0; + RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno); + + int status; + wait(&status); + + tmpUser.remove(); + }; + + if (pid == 0) { //child process + errno = 0; + RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno); + //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable + + struct passwd *pw = getUserStruct(username); + register_current_process_as_privilege_manager(pw->pw_uid); + int result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + std::vector policyEntries; + PolicyEntry filter; + Api::getPolicy(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); + + for (const auto &policyEntry : policyEntries) { + std::string user = policyEntry.getUser(); + std::string app = policyEntry.getAppId(); + std::string privilege = policyEntry.getPrivilege(); + + try { + struct passwd *pw_current = getUserStruct(static_cast(std::stoul(user))); + std::set::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege); + if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end()) + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what()); + } catch (const std::invalid_argument& e) { + RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what()); + }; + }; + exit(0); + }; +} + +RUNNER_MULTIPROCESS_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged) +{ + //TEST DATA + const std::vector usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"}; + unsigned int privileges_count = 0; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (const auto &username : usernames) { + //Only entries for one of the users will be listed + privileges_count = 0; + + for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + MANY_APPS.at(i), std::set( + MANY_APPS_PRIVILEGES.at(i).begin(), + MANY_APPS_PRIVILEGES.at(i).end()))); + privileges_count+=MANY_APPS_PRIVILEGES.at(i).size(); + }; + + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + }; + + users2AppsMap.at(usernames.at(0)).insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); + + ++privileges_count; + //TEST DATA END + + sem_t *mutex; + errno = 0; + RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno); + errno = 0; + RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno); + pid_t pid = fork(); + + if (pid != 0) { //parent process + std::vector users = { + TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), + TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) + }; + + users.at(0).create(); + users.at(1).create(); + + //Install apps for both users + for(const auto &user : users) { + for(const auto &app : users2AppsMap.at(user.getUserName())) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(user.getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + + //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str()); + }; + //Start child + errno = 0; + RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno); + + int status; + wait(&status); + + for(auto &user : users) { + user.remove(); + }; + }; + + if (pid == 0) { + errno = 0; + RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno); + struct passwd *pw = getUserStruct(usernames.at(0)); + register_current_process_as_privilege_manager(pw->pw_uid); + + //change uid to normal user + errno = 0; + int result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + std::vector policyEntries; + PolicyEntry filter; + + //this call should only return privileges belonging to the current uid + Api::getPolicy(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); + + for (const auto &policyEntry : policyEntries) { + std::string user = policyEntry.getUser(); + std::string app = policyEntry.getAppId(); + std::string privilege = policyEntry.getPrivilege(); + + try { + struct passwd *pw_current = getUserStruct(static_cast(std::stoul(user))); + std::set::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege); + if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end()) + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what()); + } catch (const std::invalid_argument& e) { + RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what()); + }; + }; + exit(0); + }; +} + +RUNNER_MULTIPROCESS_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged) +{ + //TEST DATA + const std::vector usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"}; + unsigned int privileges_count = 0; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (const auto &username : usernames) { + + for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + MANY_APPS.at(i), std::set( + MANY_APPS_PRIVILEGES.at(i).begin(), + MANY_APPS_PRIVILEGES.at(i).end()))); + privileges_count+=MANY_APPS_PRIVILEGES.at(i).size(); + }; + + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + }; + + users2AppsMap.at(usernames.at(1)).insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE})); + + privileges_count += 2; + //TEST DATA END + + sem_t *mutex; + errno = 0; + RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno); + errno = 0; + RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno); + pid_t pid = fork(); + + if (pid != 0) { //parent process + std::vector users = { + TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), + TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) + }; + + users.at(0).create(); + users.at(1).create(); + //Install apps for both users + for(const auto &user : users) { + for(const auto &app : users2AppsMap.at(user.getUserName())) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(user.getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + + //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str()); + }; + + //Start child + errno = 0; + RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno); + + //Wait for child to finish + int status; + wait(&status); + + for(auto &user : users) { + user.remove(); + }; + }; + + if (pid == 0) { //child process + errno = 0; + RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno); + + struct passwd *pw = getUserStruct(usernames.at(1)); + register_current_process_as_privilege_manager(pw->pw_uid, true); + + //change uid to normal user + int result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + std::vector policyEntries; + PolicyEntry filter; + //this call should succeed as the calling user is privileged + Api::getPolicy(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); + + for (const auto &policyEntry : policyEntries) { + std::string user = policyEntry.getUser(); + std::string app = policyEntry.getAppId(); + std::string privilege = policyEntry.getPrivilege(); + + try { + struct passwd *pw_current = getUserStruct(static_cast(std::stoul(user))); + std::set::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege); + if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end()) + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what()); + } catch (const std::invalid_argument& e) { + RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what()); + }; + }; + + exit(0); + }; +} + +RUNNER_MULTIPROCESS_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged) +{ + //TEST DATA + const std::vector usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"}; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (const auto &username : usernames) { + + for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + MANY_APPS.at(i), std::set( + MANY_APPS_PRIVILEGES.at(i).begin(), + MANY_APPS_PRIVILEGES.at(i).end()))); + }; + + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + }; + + users2AppsMap.at(usernames.at(1)).insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); + + //TEST DATA END + + pid_t pid[2]; + sem_t *mutex[2]; + errno = 0; + RUNNER_ASSERT_MSG(((mutex[0] = sem_open("mutex_1", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #1, errno: " << errno); + errno = 0; + RUNNER_ASSERT_MSG(((mutex[1] = sem_open("mutex_2", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #2, errno: " << errno); + errno = 0; + RUNNER_ASSERT_MSG(sem_init(mutex[0], 1, 0) == 0, "failed to setup mutex #1, errno: " << errno); + errno = 0; + RUNNER_ASSERT_MSG(sem_init(mutex[1], 1, 0) == 0, "failed to setup mutex #2, errno: " << errno); + std::vector policyEntries; + + pid[0] = fork(); + + if(pid[0] == 0) { //child #1 process + RUNNER_ASSERT_MSG(sem_wait(mutex[0]) == 0, "sem_wait in child #1 failed, errno: " << errno); + struct passwd *pw = getUserStruct(usernames.at(0)); + register_current_process_as_privilege_manager(pw->pw_uid); + + //change uid to normal user + int result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry filter; + PolicyRequest policyRequest; + //this call should succeed as the calling user is privileged + Api::getPolicyForSelf(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty"); + + PolicyEntry policyEntry( + MANY_APPS[0], + std::to_string(pw->pw_uid), + "http://tizen.org/privilege/internet" + ); + policyEntry.setLevel("Deny"); + + policyRequest.addEntry(policyEntry); + policyEntry = PolicyEntry( + MANY_APPS[1], + std::to_string(pw->pw_uid), + "http://tizen.org/privilege/location" + ); + policyEntry.setLevel("Deny"); + + policyRequest.addEntry(policyEntry); + Api::sendPolicy(policyRequest); + Api::getPolicyForSelf(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size()); + exit(0); + }; + + if (pid[0] != 0) {//parent process + pid[1] = fork(); + + if (pid[1] == 0) { //child #2 process + errno = 0; + RUNNER_ASSERT_MSG(sem_wait(mutex[1]) == 0, "sem_wait in child #2 failed, errno: " << errno); + struct passwd *pw_target = getUserStruct(usernames.at(0)); + struct passwd *pw = getUserStruct(usernames.at(1)); + register_current_process_as_privilege_manager(pw->pw_uid); + + //change uid to normal user + int result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry filter = PolicyEntry( + SECURITY_MANAGER_ANY, + std::to_string(pw_target->pw_uid), + SECURITY_MANAGER_ANY + ); + + //U2 requests contents of U1 privacy manager - should fail + Api::getPolicyForSelf(filter, policyEntries); + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty"); + + filter = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY + ); + + policyEntries.clear(); + + //U2 requests contents of ADMIN bucket - should fail + Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty"); + exit(0); + }; + + if (pid[1] != 0) { //parent + + std::vector users = { + TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), + TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) + }; + + users.at(0).create(); + users.at(1).create(); + + //Install apps for both users + for(const auto &user : users2AppsMap) { + + for(const auto &app : user.second) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(users.at(0).getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + + //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str()); + }; + + int status; + //Start child #1 + errno = 0; + RUNNER_ASSERT_MSG(sem_post(mutex[0]) == 0, "Error while opening mutex #1, errno: " << errno); + + //Wait until child #1 finishes + pid_t ret = wait(&status); + RUNNER_ASSERT_MSG((ret != -1) && WIFEXITED(status), "Updating privileges failed"); + + //Start child #2 + errno = 0; + RUNNER_ASSERT_MSG(sem_post(mutex[1]) == 0, "Error while opening mutex #2, errno: " << errno); + //Wait until child #2 finishes + ret = wait(&status); + RUNNER_ASSERT_MSG((ret =-1) && WIFEXITED(status), "Listing privileges failed"); + + for(auto &user : users) { + user.remove(); + }; + + sem_close(mutex[0]); + sem_close(mutex[1]); + }; + }; +} + +RUNNER_MULTIPROCESS_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin) +{ + //TEST DATA + const std::vector usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"}; + unsigned int privileges_count = 0; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (const auto &username : usernames) { + + for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + MANY_APPS.at(i), std::set( + MANY_APPS_PRIVILEGES.at(i).begin(), + MANY_APPS_PRIVILEGES.at(i).end()))); + privileges_count+=MANY_APPS_PRIVILEGES.at(i).size(); + }; + + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + }; + + users2AppsMap.at(usernames.at(1)).insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); + + privileges_count += 2; + //TEST DATA END + sem_t *mutex; + errno = 0; + RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno); + errno = 0; + RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno); + + pid_t pid = fork(); + if (pid != 0) { + std::vector users = { + TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), + TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) + }; + + users.at(0).create(); + users.at(1).create(); + + //Install apps for both users + for(const auto &user : users) { + + for(const auto &app : users2AppsMap.at(user.getUserName())) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(user.getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + }; + //Start child process + errno = 0; + RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno); + int status; + //Wait for child process to finish + wait(&status); + + //switch back to root + for(auto &user : users) { + user.remove(); + }; + + sem_close(mutex); + } + + if (pid == 0) { //child process + errno = 0; + RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno); + + struct passwd *pw = getUserStruct(usernames.at(0)); + register_current_process_as_privilege_manager(pw->pw_uid, true); + + //change uid to normal user + int result = drop_root_privileges(pw->pw_uid, pw->pw_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyRequest *policyRequest = new PolicyRequest(); + PolicyEntry filter; + std::vector policyEntries; + //this call should succeed as the calling user is privileged + Api::getPolicyForSelf(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty"); + + PolicyEntry policyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + "http://tizen.org/privilege/internet" + ); + policyEntry.setMaxLevel("Deny"); + + policyRequest->addEntry(policyEntry); + policyEntry = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + "http://tizen.org/privilege/location" + ); + policyEntry.setMaxLevel("Deny"); + + policyRequest->addEntry(policyEntry); + Api::sendPolicy(*policyRequest); + Api::getPolicyForAdmin(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size()); + + delete policyRequest; + policyRequest = new PolicyRequest(); + policyEntry = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + "http://tizen.org/privilege/internet" + ); + policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE); + policyRequest->addEntry(policyEntry); + + policyEntry = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + "http://tizen.org/privilege/location" + ); + policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE); + + policyRequest->addEntry(policyEntry); + Api::sendPolicy(*policyRequest); + + policyEntries.clear(); + Api::getPolicyForAdmin(filter, policyEntries); + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size()); + + delete policyRequest; + + exit(0); + }; + +} + +RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin) +{ + const char *const update_app_id = "security_manager_15_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = "ADMIN"; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), true); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setMaxLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard) +{ + const char *const update_other_app_id = "security_manager_15_update_other_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = "ADMIN"; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), true); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // use wildcard as appId + PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setMaxLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_self) +{ + const char *const update_app_id = "security_manager_15_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = ""; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), false); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get) +{ + const std::string username("sm_test_16_user_cynara_policy"); + CynaraTestAdmin::Admin admin; + int pipefd[2]; + pid_t pid; + int result = 0; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + } + if(pid == 0) + { + int ret; + char** levels; + std::string allow_policy, deny_policy; + size_t count; + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // without plugins there should only be 2 policies - Allow and Deny + ret = security_manager_policy_levels_get(&levels, &count); + + RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS, + "Invlid return code: " << ret); + + RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast(count)); + + deny_policy = std::string(levels[0]); + allow_policy = std::string(levels[count-1]); + + // first should always be Deny + RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0, + "Invalid first policy level. Should be Deny, instead there is: " << levels[0]); + + // last should always be Allow + RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0, + "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]); + + security_manager_policy_levels_free(levels, count); + exit(0); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_delete_policy_for_self) +{ + const char *const update_app_id = "security_manager_17_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = ""; + const std::string username("sm_test_17_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + int pipefd2[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), false); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + + pid = fork(); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd2+1); + close(pipefd2[0]); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + //wait for child + waitpid(-1, &result, 0); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd2); + close(pipefd2[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // delete this entry + PolicyRequest deletePolicyRequest; + PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + deleteEntry.setLevel(SECURITY_MANAGER_DELETE); + + deletePolicyRequest.addEntry(deleteEntry); + Api::sendPolicy(deletePolicyRequest); + exit(0); + } + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered) +{ + const std::string username("sm_test_17_user_name"); + + struct message { + uid_t uid; + gid_t gid; + unsigned int privileges_count; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + TemporaryTestUser user(username, static_cast(GUM_USERTYPE_NORMAL), false); + user.create(); + + unsigned int privileges_count = 0; + + register_current_process_as_privilege_manager(user.getUid(), false); + //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable + ++privileges_count; + + for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { + InstallRequest requestInst; + requestInst.setAppId(MANY_APPS[i].c_str()); + requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str()); + requestInst.setUid(user.getUid()); + + for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) { + requestInst.addPrivilege(priv.c_str()); + }; + + Api::install(requestInst); + privileges_count += MANY_APPS_PRIVILEGES.at(i).size(); + }; + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + msg.privileges_count = privileges_count; + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // filter by privilege + std::vector policyEntries; + PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet"); + Api::getPolicy(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size()); + + // filter by other privilege + policyEntries.clear(); + PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email"); + Api::getPolicy(filter2, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size()); + + // filter by appId + policyEntries.clear(); + PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY); + Api::getPolicy(filter3, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size()); + } +} + +RUNNER_CHILD_TEST(security_manager_10_user_cynara_policy) +{ + const char *const MAIN_BUCKET = "MAIN"; + const char *const MANIFESTS_BUCKET = "MANIFESTS"; + const char *const ADMIN_BUCKET = "ADMIN"; + const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL"; + const std::string username("sm_test_10_user_cynara_policy"); + CynaraTestAdmin::Admin admin; + std::string uid_string; + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + user.create(); + user.getUidString(uid_string); + + CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer; + nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET); + admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS); + + user.remove(); + CynaraTestAdmin::CynaraPoliciesContainer emptyContainer; + + admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); + admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); + admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); + admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); +} + +RUNNER_CHILD_TEST(security_manager_11_security_manager_cmd_install) +{ + int ret; + const int SUCCESS = 0; + const int FAILURE = 256; + const std::string app_id = "security_manager_10_app"; + const std::string pkg_id = "security_manager_10_pkg"; + const std::string username("sm_test_10_user_name"); + std::string uid_string; + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + user.create(); + user.getUidString(uid_string); + const std::string path1 = "/home/" + username + "/p1"; + const std::string path2 = "/home/" + username + "/p2"; + const std::string pkgopt = " --pkg=" + pkg_id; + const std::string appopt = " --app=" + app_id; + const std::string uidopt = " --uid=" + uid_string; + + mkdir(path1.c_str(), 0); + mkdir(path2.c_str(), 0); + + const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt; + + struct operation { + std::string command; + int expected_result; + }; + std::vector operations = { + {"security-manager-cmd", FAILURE},//no option + {"security-manager-cmd --blah", FAILURE},//blah option is not known + {"security-manager-cmd --help", SUCCESS}, + {"security-manager-cmd --install", FAILURE},//no params + {"security-manager-cmd -i", FAILURE},//no params + {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid + {installcmd, SUCCESS}, + {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS}, + {installcmd + " --path " + path1 + " private", SUCCESS}, + {installcmd + " --path " + path1, FAILURE},//no path type + {installcmd + " --path " + path1 + " private" + " --path " + path2 + " private", SUCCESS}, + {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " public", FAILURE},//wrong path type + {installcmd + " --path " + path1 + " private" + " --privilege somepriv --privilege somepriv2" , SUCCESS}, + }; + + for (auto &op : operations) { + ret = system(op.command.c_str()); + RUNNER_ASSERT_MSG(ret == op.expected_result, + "Unexpected result for command '" << op.command <<"': " + << ret << " Expected was: "<< op.expected_result); + } +} + +RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users) +{ + int ret; + const int SUCCESS = 0; + const int FAILURE = 256; + const std::string username("sm_test_11_user_name"); + std::string uid_string; + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + user.create(); + user.getUidString(uid_string); + const std::string uidopt = " --uid=" + uid_string; + + struct operation { + std::string command; + int expected_result; + }; + std::vector operations = { + {"security-manager-cmd --manage-users=remove", FAILURE},//no params + {"security-manager-cmd -m", FAILURE},//no params + {"security-manager-cmd -mr", FAILURE},//no uid + {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid + {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj? + {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf? + {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed + {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah + {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added + {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added + {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added + }; + + for (auto &op : operations) { + ret = system(op.command.c_str()); + RUNNER_ASSERT_MSG(ret == op.expected_result, + "Unexpected result for command '" << op.command <<"': " + << ret << " Expected was: "<< op.expected_result); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv) +{ + const int BUFFER_SIZE = 128; + struct message { + uid_t uid; + gid_t gid; + char buf[BUFFER_SIZE]; + } msg; + + privileges_t admin_required_privs = { + "http://tizen.org/privilege/systemsettings.admin", + "http://tizen.org/privilege/systemsettings"}; + privileges_t manifest_privs = { + "http://tizen.org/privilege/internet", + "http://tizen.org/privilege/camera"}; + privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"}; + privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"}; + + const std::string pirivman_id = "sm_test_13_ADMIN_APP"; + const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG"; + const std::string app_id = "sm_test_13_SOME_APP"; + const std::string pkg_id = "sm_test_13_SOME_PKG"; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + std::string childuidstr; + TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true); + TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true); + + InstallRequest request,request2; + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + admin.create(); + child.create(); + child.getUidString(childuidstr); + + //install privacy manager for admin + request.setAppId(pirivman_id.c_str()); + request.setPkgId(pirivman_pkg_id.c_str()); + request.setUid(admin.getUid()); + for (auto &priv: admin_required_privs) + request.addPrivilege(priv.c_str()); + Api::install(request); + + //install app for child that has internet privilege + request2.setAppId(app_id.c_str()); + request2.setPkgId(pkg_id.c_str()); + request2.setUid(child.getUid()); + for (auto &priv: manifest_privs) + request2.addPrivilege(priv.c_str()); + Api::install(request2); + + check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(), + manifest_privs, SM_NO_PRIVILEGES); + + //send info to child + msg.uid = admin.getUid(); + msg.gid = admin.getGid(); + strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(), + real_privs_allow, real_privs_deny); + } + if (pid == 0)//child + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(pirivman_id.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + PolicyRequest addPolicyReq; + //change rights + for (auto &denypriv:real_privs_deny) { + /*this entry will deny some privileges for user whose uid (as c string) + was sent in message's buf field. + That user would be denying internet for child in this case*/ + PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv); + entry.setMaxLevel("Deny"); + addPolicyReq.addEntry(entry); + } + Api::sendPolicy(addPolicyReq); + exit(0); + } +} + int main(int argc, char *argv[]) { return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);