X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=tests%2Fsecurity-manager-tests%2Fsecurity_manager_tests.cpp;h=a342ea9618f8ceddebf0129eefba148d96140f83;hb=8ee1016ffa4f441ac07655ecbbfd135f01bbdace;hp=9d9df10671c2774db226ba2970b2b145dd7a265a;hpb=049069b656bd8497b2f5e060d59c27cb7008c2c2;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp index 9d9df10..a342ea9 100644 --- a/tests/security-manager-tests/security_manager_tests.cpp +++ b/tests/security-manager-tests/security_manager_tests.cpp @@ -8,6 +8,9 @@ #include #include +#include +#include +#include #include #include #include @@ -31,7 +34,9 @@ #include #include #include +#include #include +#include using namespace SecurityManagerTest; @@ -824,7 +829,7 @@ RUNNER_CHILD_TEST(security_manager_07_user_add_app_install) std::string uid_string; TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); test_user.create(); - uid_string = std::to_string(static_cast(test_user.getUid())); + test_user.getUidString(uid_string); install_app(sm_app_id, sm_pkg_id, test_user.getUid()); @@ -849,7 +854,7 @@ RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove) // gumd user add TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false); test_user.create(); - uid_string = std::to_string(static_cast(test_user.getUid())); + test_user.getUidString(uid_string); addUserRequest.setUid(test_user.getUid()); addUserRequest.setUserType(SM_USER_TYPE_NORMAL); @@ -1560,6 +1565,724 @@ RUNNER_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admi } +RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin) +{ + const char *const update_app_id = "security_manager_15_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = "ADMIN"; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + std::string smackLabel; + generateAppLabel(update_app_id, smackLabel); + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), true); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + admin.adminCheck(check_start_bucket, false, smackLabel.c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setMaxLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard) +{ + const char *const update_other_app_id = "security_manager_15_update_other_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = "ADMIN"; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + std::string smackLabel; + generateAppLabel(update_other_app_id, smackLabel); + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), true); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + admin.adminCheck(check_start_bucket, false, smackLabel.c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // use wildcard as appId + PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setMaxLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_self) +{ + const char *const update_app_id = "security_manager_15_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = ""; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + std::string smackLabel; + generateAppLabel(update_app_id, smackLabel); + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), false); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + admin.adminCheck(check_start_bucket, false, smackLabel.c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get) +{ + const std::string username("sm_test_16_user_cynara_policy"); + CynaraTestAdmin::Admin admin; + int pipefd[2]; + pid_t pid; + int result = 0; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + } + if(pid == 0) + { + int ret; + char** levels; + std::string allow_policy, deny_policy; + size_t count; + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // without plugins there should only be 2 policies - Allow and Deny + ret = security_manager_policy_levels_get(&levels, &count); + + RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS, + "Invlid return code: " << ret); + + RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast(count)); + + deny_policy = std::string(levels[0]); + allow_policy = std::string(levels[count-1]); + + // first should always be Deny + RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0, + "Invalid first policy level. Should be Deny, instead there is: " << levels[0]); + + // last should always be Allow + RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0, + "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]); + + security_manager_policy_levels_free(levels, count); + exit(0); + } +} + +RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self) +{ + const char *const update_app_id = "security_manager_17_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = ""; + const std::string username("sm_test_17_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + std::string smackLabel; + generateAppLabel(update_app_id, smackLabel); + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + int pipefd2[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), false); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + admin.adminCheck(check_start_bucket, false, smackLabel.c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + + pid = fork(); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd2+1); + close(pipefd2[0]); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + //wait for child + waitpid(-1, &result, 0); + + admin.adminCheck(check_start_bucket, false, smackLabel.c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd2); + close(pipefd2[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // delete this entry + PolicyRequest deletePolicyRequest; + PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + deleteEntry.setLevel(SECURITY_MANAGER_DELETE); + + deletePolicyRequest.addEntry(deleteEntry); + Api::sendPolicy(deletePolicyRequest); + exit(0); + } + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered) +{ + const std::string username("sm_test_17_user_name"); + + struct message { + uid_t uid; + gid_t gid; + unsigned int privileges_count; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + TemporaryTestUser user(username, static_cast(GUM_USERTYPE_NORMAL), false); + user.create(); + + unsigned int privileges_count = 0; + + register_current_process_as_privilege_manager(user.getUid(), false); + //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable + ++privileges_count; + + for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { + InstallRequest requestInst; + requestInst.setAppId(MANY_APPS[i].c_str()); + requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str()); + requestInst.setUid(user.getUid()); + + for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) { + requestInst.addPrivilege(priv.c_str()); + }; + + Api::install(requestInst); + privileges_count += MANY_APPS_PRIVILEGES.at(i).size(); + }; + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + msg.privileges_count = privileges_count; + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // filter by privilege + std::vector policyEntries; + PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet"); + Api::getPolicy(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size()); + + // filter by other privilege + policyEntries.clear(); + PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email"); + Api::getPolicy(filter2, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size()); + + // filter by appId + policyEntries.clear(); + PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY); + Api::getPolicy(filter3, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size()); + } +} + +RUNNER_CHILD_TEST(security_manager_10_user_cynara_policy) +{ + const char *const MAIN_BUCKET = "MAIN"; + const char *const MANIFESTS_BUCKET = "MANIFESTS"; + const char *const ADMIN_BUCKET = "ADMIN"; + const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL"; + const std::string username("sm_test_10_user_cynara_policy"); + CynaraTestAdmin::Admin admin; + std::string uid_string; + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + user.create(); + user.getUidString(uid_string); + + CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer; + nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET); + admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS); + + user.remove(); + CynaraTestAdmin::CynaraPoliciesContainer emptyContainer; + + admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); + admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); + admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); + admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); +} + +RUNNER_CHILD_TEST(security_manager_11_security_manager_cmd_install) +{ + int ret; + const int SUCCESS = 0; + const int FAILURE = 256; + const std::string app_id = "security_manager_10_app"; + const std::string pkg_id = "security_manager_10_pkg"; + const std::string username("sm_test_10_user_name"); + std::string uid_string; + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + user.create(); + user.getUidString(uid_string); + const std::string path1 = "/home/" + username + "/p1"; + const std::string path2 = "/home/" + username + "/p2"; + const std::string pkgopt = " --pkg=" + pkg_id; + const std::string appopt = " --app=" + app_id; + const std::string uidopt = " --uid=" + uid_string; + + mkdir(path1.c_str(), 0); + mkdir(path2.c_str(), 0); + + const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt; + + struct operation { + std::string command; + int expected_result; + }; + std::vector operations = { + {"security-manager-cmd", FAILURE},//no option + {"security-manager-cmd --blah", FAILURE},//blah option is not known + {"security-manager-cmd --help", SUCCESS}, + {"security-manager-cmd --install", FAILURE},//no params + {"security-manager-cmd -i", FAILURE},//no params + {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid + {installcmd, SUCCESS}, + {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS}, + {installcmd + " --path " + path1 + " private", SUCCESS}, + {installcmd + " --path " + path1, FAILURE},//no path type + {installcmd + " --path " + path1 + " private" + " --path " + path2 + " private", SUCCESS}, + {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " public", FAILURE},//wrong path type + {installcmd + " --path " + path1 + " private" + " --privilege somepriv --privilege somepriv2" , SUCCESS}, + }; + + for (auto &op : operations) { + ret = system(op.command.c_str()); + RUNNER_ASSERT_MSG(ret == op.expected_result, + "Unexpected result for command '" << op.command <<"': " + << ret << " Expected was: "<< op.expected_result); + } +} + +RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users) +{ + int ret; + const int SUCCESS = 0; + const int FAILURE = 256; + const std::string username("sm_test_11_user_name"); + std::string uid_string; + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true); + user.create(); + user.getUidString(uid_string); + const std::string uidopt = " --uid=" + uid_string; + + struct operation { + std::string command; + int expected_result; + }; + std::vector operations = { + {"security-manager-cmd --manage-users=remove", FAILURE},//no params + {"security-manager-cmd -m", FAILURE},//no params + {"security-manager-cmd -mr", FAILURE},//no uid + {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid + {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj? + {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf? + {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed + {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah + {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added + {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added + {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added + }; + + for (auto &op : operations) { + ret = system(op.command.c_str()); + RUNNER_ASSERT_MSG(ret == op.expected_result, + "Unexpected result for command '" << op.command <<"': " + << ret << " Expected was: "<< op.expected_result); + } +} + +RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv) +{ + const int BUFFER_SIZE = 128; + struct message { + uid_t uid; + gid_t gid; + char buf[BUFFER_SIZE]; + } msg; + + privileges_t admin_required_privs = { + "http://tizen.org/privilege/systemsettings.admin", + "http://tizen.org/privilege/systemsettings"}; + privileges_t manifest_privs = { + "http://tizen.org/privilege/internet", + "http://tizen.org/privilege/camera"}; + privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"}; + privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"}; + + const std::string pirivman_id = "sm_test_13_ADMIN_APP"; + const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG"; + const std::string app_id = "sm_test_13_SOME_APP"; + const std::string pkg_id = "sm_test_13_SOME_PKG"; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + std::string childuidstr; + TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true); + TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true); + + InstallRequest request,request2; + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + admin.create(); + child.create(); + child.getUidString(childuidstr); + + //install privacy manager for admin + request.setAppId(pirivman_id.c_str()); + request.setPkgId(pirivman_pkg_id.c_str()); + request.setUid(admin.getUid()); + for (auto &priv: admin_required_privs) + request.addPrivilege(priv.c_str()); + Api::install(request); + + //install app for child that has internet privilege + request2.setAppId(app_id.c_str()); + request2.setPkgId(pkg_id.c_str()); + request2.setUid(child.getUid()); + for (auto &priv: manifest_privs) + request2.addPrivilege(priv.c_str()); + Api::install(request2); + + check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(), + manifest_privs, SM_NO_PRIVILEGES); + + //send info to child + msg.uid = admin.getUid(); + msg.gid = admin.getGid(); + strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + //wait for child + RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed"); + + check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(), + real_privs_allow, real_privs_deny); + } + if (pid == 0)//child + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(pirivman_id.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + PolicyRequest addPolicyReq; + //change rights + for (auto &denypriv:real_privs_deny) { + /*this entry will deny some privileges for user whose uid (as c string) + was sent in message's buf field. + That user would be denying internet for child in this case*/ + PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv); + entry.setMaxLevel("Deny"); + addPolicyReq.addEntry(entry); + } + Api::sendPolicy(addPolicyReq); + exit(0); + } +} + int main(int argc, char *argv[]) { return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);