--- /dev/null
-DEFINE_SMARTPTR(security_manager_app_inst_req_free, app_inst_req, AppInstReqUniquePtr);
-DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
-
-static const char *const SM_APP_ID1 = "sm_test_app_id_double";
-static const char *const SM_PKG_ID1 = "sm_test_pkg_id_double";
++#include <dpl/log/log.h>
+ #include <dpl/test/test_runner.h>
+ #include <fcntl.h>
+ #include <stdio.h>
+ #include <memory.h>
+ #include <string>
+ #include <unordered_set>
+ #include <sys/capability.h>
++#include <semaphore.h>
+
++#include <unistd.h>
++#include <sys/types.h>
++#include <sys/wait.h>
+ #include <sys/socket.h>
+ #include <sys/un.h>
+ #include <attr/xattr.h>
+ #include <linux/xattr.h>
+
++#include <unistd.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++
+ #include <grp.h>
+ #include <pwd.h>
+
+ #include <libprivilege-control_test_common.h>
+ #include <tests_common.h>
+
++#include <tzplatform_config.h>
+ #include <security-manager.h>
++#include <sm_api.h>
+ #include <sm_db.h>
++#include <sm_request.h>
++#include <sm_user_request.h>
++#include <temp_test_user.h>
+ #include <cynara_test_client.h>
++#include <cynara_test_admin.h>
++#include <service_manager.h>
++#include <cynara_test_admin.h>
+
-static const char *const SM_APP_ID2 = "sm_test_app_id_full";
-static const char *const SM_PKG_ID2 = "sm_test_pkg_id_full";
-
-static const char *const SM_APP_ID3 = "sm_test_app_id_uid";
-static const char *const SM_PKG_ID3 = "sm_test_pkg_id_uid";
++using namespace SecurityManagerTest;
+
- "security_manager_test_rules2_r",
- "security_manager_test_rules2_no_r"
++DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
++DEFINE_SMARTPTR(tzplatform_context_destroy, tzplatform_context, TzPlatformContextPtr);
+
+ static const privileges_t SM_ALLOWED_PRIVILEGES = {
- "security_manager_test_rules1",
- "security_manager_test_rules2"
++ "http://tizen.org/privilege/location",
++ "http://tizen.org/privilege/camera"
+ };
+
+ static const privileges_t SM_DENIED_PRIVILEGES = {
-static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
-static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
-static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
-static const char *const SM_PRIVATE_PATH_FOR_USER = "/home/" APP_USER "/test_DIR";
++ "http://tizen.org/privilege/bluetooth",
++ "http://tizen.org/privilege/power"
+ };
+
+ static const privileges_t SM_NO_PRIVILEGES = {
+ };
+
+ static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
+
-static void generateAppLabel(const std::string &pkgId, std::string &label)
++static const char *const SM_RW_PATH = "/usr/apps/app_dir";
++static const char *const SM_RO_PATH = "/usr/apps/app_dir_public_ro";
++static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir";
++
+ static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
++static const std::string EXEC_FILE("exec");
++static const std::string NORMAL_FILE("normal");
++static const std::string LINK_PREFIX("link_to_");
++
++static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
++static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
++static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings";
++static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin";
++
++static const std::vector<std::string> MANY_APPS = {
++ "security_manager_10_app_1",
++ "security_manager_10_app_2",
++ "security_manager_10_app_3",
++ "security_manager_10_app_4",
++ "security_manager_10_app_5"
++};
++
++static const std::map<std::string, std::string> MANY_APPS_PKGS = {
++ {"security_manager_10_app_1", "security_manager_10_pkg_1"},
++ {"security_manager_10_app_2", "security_manager_10_pkg_2"},
++ {"security_manager_10_app_3", "security_manager_10_pkg_3"},
++ {"security_manager_10_app_4", "security_manager_10_pkg_4"},
++ {"security_manager_10_app_5", "security_manager_10_pkg_5"},
++ {PRIVILEGE_MANAGER_APP, PRIVILEGE_MANAGER_PKG}
++};
++
++static const std::vector<privileges_t> MANY_APPS_PRIVILEGES = {
++ {
++ "http://tizen.org/privilege/internet",
++ "http://tizen.org/privilege/location"
++ },
++ {
++ "http://tizen.org/privilege/telephony",
++ "http://tizen.org/privilege/camera"
++ },
++ {
++ "http://tizen.org/privilege/contact.read",
++ "http://tizen.org/privilege/led",
++ "http://tizen.org/privilege/email"
++ },
++ {
++ "http://tizen.org/privilege/led",
++ "http://tizen.org/privilege/email",
++ "http://tizen.org/privilege/telephony",
++ "http://tizen.org/privilege/camera"
++ },
++ {
++ "http://tizen.org/privilege/internet",
++ "http://tizen.org/privilege/location",
++ "http://tizen.org/privilege/led",
++ "http://tizen.org/privilege/email"
++ }
++};
+
- (void) pkgId;
- label = "User";
++static std::string generateAppLabel(const std::string &appId)
+ {
-static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
++ return "User::App::" + appId;
+ }
+
+ static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
+ const char* correctLabel, bool transmute_test, bool exec_test)
+ {
+ int result;
+ CStringPtr labelPtr;
+ char* label = nullptr;
+
+ /* ACCESS */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+ RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
+ result = strcmp(correctLabel, label);
+ RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
+ " (should be '" << correctLabel << "' and is '" << label << "')");
+
+
+ /* EXEC */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+
+ if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
+ RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
+ result = strcmp(correctLabel, label);
+ RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
+ } else
+ RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
+
+
+ /* TRANSMUTE */
+ result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
+ RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
+ labelPtr.reset(label);
+
+ if (S_ISDIR(sb->st_mode) && transmute_test == true) {
+ RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
+ RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
+ "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
+ } else {
+ RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
+ }
+
+ return 0;
+ }
+
++// nftw doesn't allow passing user data to functions. Work around by using global variable
++static std::string nftw_expected_label;
++bool nftw_expected_transmute;
++bool nftw_expected_exec;
+
- return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
-}
-
-static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
- int /*typeflag*/, struct FTW* /*ftwbuf*/)
-{
-
- return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
-}
-
-static app_inst_req* do_app_inst_req_new()
-{
- int result;
- app_inst_req *req = nullptr;
-
- result = security_manager_app_inst_req_new(&req);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "creation of new request failed. Result: " << result);
- RUNNER_ASSERT_MSG(req != nullptr, "creation of new request did not allocate memory");
- return req;
++static int nftw_check_sm_labels(const char *fpath, const struct stat *sb,
+ int /*typeflag*/, struct FTW* /*ftwbuf*/)
+ {
- result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
++ return nftw_check_sm_labels_app_dir(fpath, sb,
++ nftw_expected_label.c_str(), nftw_expected_transmute, nftw_expected_exec);
+ }
+
+ static void prepare_app_path()
+ {
+ int result;
+
- result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
++ result = nftw(SM_RW_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
++ RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RW_PATH);
+
-/* TODO: add parameters to this function */
-static void check_app_path_after_install()
++ result = nftw(SM_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
++ RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RO_PATH);
+
+ result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
+ }
+
+ static void prepare_app_env()
+ {
+ prepare_app_path();
+ }
+
- result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
++static void check_app_path_after_install(const char *appId)
+ {
+ int result;
+
- result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
++ nftw_expected_label = generateAppLabel(appId);
++ nftw_expected_transmute = false;
++ nftw_expected_exec = true;
++
++ result = nftw(SM_RW_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
++ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH);
++
++ nftw_expected_label = "User::Home";
++ nftw_expected_transmute = true;
++ nftw_expected_exec = false;
+
- (void) app_id;
- std::string smackLabel;
- generateAppLabel(pkg_id, smackLabel);
++ result = nftw(SM_RO_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
++ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH);
+
+ result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
+ }
+
+
+ static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
+ const privileges_t &allowed_privs, const privileges_t &denied_privs)
+ {
- ret = security_manager_set_process_groups_from_appid(app_id);
- RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS,
- "security_manager_set_process_groups_from_appid(" <<
- app_id << ") failed. Result: " << ret);
++ (void) pkg_id;
++ std::string smackLabel = generateAppLabel(app_id);
+
+ CynaraTestClient::Client ctc;
+
+ for (auto &priv : allowed_privs) {
+ ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
+ }
+
+ for (auto &priv : denied_privs) {
+ ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
+ }
+ }
+
+ static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
+ {
+ int ret;
+ gid_t main_gid = getgid();
+ std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
+
+ // Reset supplementary groups
+ ret = setgroups(0, NULL);
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
+
-static void install_app(const char *app_id, const char *pkg_id)
++ Api::setProcessGroups(app_id);
+
+ ret = getgroups(0, nullptr);
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
+
+ std::vector<gid_t> actual_gids(ret);
+ ret = getgroups(ret, actual_gids.data());
+ RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
+
+ for (const auto &gid : actual_gids) {
+ RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
+ "Application shouldn't get access to group " << gid);
+ reference_gids.erase(gid);
+ }
+
+ RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
+ }
+
+ static void check_app_after_install(const char *const app_id, const char *const pkg_id,
+ const privileges_t &allowed_privs,
+ const privileges_t &denied_privs,
+ const std::vector<std::string> &allowed_groups)
+ {
+ TestSecurityManagerDatabase dbtest;
+ dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
+ dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
+
+ /*Privileges should be granted to all users if root installs app*/
+ check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
+
+ /* Setup mapping of gids to privileges */
+ /* Do this for each privilege for extra check */
+ for (const auto &privilege : allowed_privs) {
+ dbtest.setup_privilege_groups(privilege, allowed_groups);
+ }
+
+ std::vector<gid_t> allowed_gids;
+
+ for (const auto &groupName : allowed_groups) {
+ errno = 0;
+ struct group* grp = getgrnam(groupName.c_str());
+ RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
+ allowed_gids.push_back(grp->gr_gid);
+ }
+
+ check_app_gids(app_id, allowed_gids);
+ }
+
+ static void check_app_after_install(const char *const app_id, const char *const pkg_id)
+ {
+ TestSecurityManagerDatabase dbtest;
+ dbtest.test_db_after__app_install(app_id, pkg_id);
+ }
+
+ static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
+ const privileges_t &privileges, const bool is_pkg_removed)
+ {
+ TestSecurityManagerDatabase dbtest;
+ dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
+
+
+ /*Privileges should not be granted anymore to any user*/
+ check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
+ }
+
+ static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
+ const bool is_pkg_removed)
+ {
+ TestSecurityManagerDatabase dbtest;
+ dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
+ }
+
- int result;
- AppInstReqUniquePtr request;
- request.reset(do_app_inst_req_new());
++static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0)
+ {
- result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting app id failed. Result: " << result);
++ InstallRequest request;
++ request.setAppId(app_id);
++ request.setPkgId(pkg_id);
++ request.setUid(uid);
++ Api::install(request);
+
- result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting pkg id failed. Result: " << result);
++ check_app_after_install(app_id, pkg_id);
+
- result = security_manager_app_install(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "installing app failed. Result: " << result);
++}
+
- check_app_after_install(app_id, pkg_id);
++static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
++{
++ InstallRequest request;
++ request.setAppId(app_id);
+
-static void uninstall_app(const char *app_id, const char *pkg_id,
- bool expect_installed, bool expect_pkg_removed)
++ Api::uninstall(request);
+
++ check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
+ }
+
- int result;
- AppInstReqUniquePtr request;
- request.reset(do_app_inst_req_new());
++static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
+ {
- result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting app id failed. Result: " << result);
++ InstallRequest request;
++ request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
++ request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
++ request.setUid(uid);
++ request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
++ if (forAdmin)
++ request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
++ Api::install(request);
++ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
++};
+
- result = security_manager_app_uninstall(request.get());
- RUNNER_ASSERT_MSG(!expect_installed || (lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "uninstalling app failed. Result: " << result);
++static inline struct passwd *getUserStruct(const std::string &userName) {
++ struct passwd *pw = nullptr;
++ errno = 0;
+
- check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
-}
++ while(!(pw = getpwnam(userName.c_str()))) {
++ RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
++ };
+
-RUNNER_TEST(security_manager_01_app_double_install_double_uninstall)
++ return pw;
++};
++
++static inline struct passwd *getUserStruct(const uid_t uid) {
++ struct passwd *pw = nullptr;
++ errno = 0;
+
++ while(!(pw = getpwuid(uid))) {
++ RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
++ };
++
++ return pw;
++};
+
+ RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
+
+
- int result;
- AppInstReqUniquePtr request;
++RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
+ {
- request.reset(do_app_inst_req_new());
++ const char *const sm_app_id = "sm_test_01a_app_id_double";
++ const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
+
- result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting app id failed. Result: " << result);
++ InstallRequest requestInst;
++ requestInst.setAppId(sm_app_id);
++ requestInst.setPkgId(sm_pkg_id);
+
- result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID1);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting pkg id failed. Result: " << result);
++ Api::install(requestInst);
++ Api::install(requestInst);
+
- result = security_manager_app_install(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "installing app failed. Result: " << result);
++ /* Check records in the security-manager database */
++ check_app_after_install(sm_app_id, sm_pkg_id);
+
- result = security_manager_app_install(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "installing already installed app failed. Result: " << result);
++ InstallRequest requestUninst;
++ requestUninst.setAppId(sm_app_id);
+
- check_app_after_install(SM_APP_ID1, SM_PKG_ID1);
++ Api::uninstall(requestUninst);
++ Api::uninstall(requestUninst);
+
+ /* Check records in the security-manager database */
- request.reset(do_app_inst_req_new());
++ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
++}
++
++
++RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
++{
++ const char *const sm_app_id = "sm_test_01b_app";
++ const char *const sm_pkg_id = "sm_test_01b_pkg";
++ const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
++
++ InstallRequest requestInst;
++ requestInst.setAppId(sm_app_id);
++ requestInst.setPkgId(sm_pkg_id);
++
++ Api::install(requestInst);
+
- result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID1);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting app id failed. Result: " << result);
++ InstallRequest requestInst2;
++ requestInst2.setAppId(sm_app_id);
++ requestInst2.setPkgId(sm_pkg_id_wrong);
+
- result = security_manager_app_uninstall(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "uninstalling app failed. Result: " << result);
++ Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+
- result = security_manager_app_uninstall(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "uninstalling already uninstalled app failed. Result: " << result);
+
- check_app_after_uninstall(SM_APP_ID1, SM_PKG_ID1, TestSecurityManagerDatabase::REMOVED);
++ /* Check records in the security-manager database */
++ check_app_after_install(sm_app_id, sm_pkg_id);
++
++ InstallRequest requestUninst;
++ requestUninst.setAppId(sm_app_id);
++
++ Api::uninstall(requestUninst);
++
+
+ /* Check records in the security-manager database */
-RUNNER_TEST(security_manager_02_app_install_uninstall_full)
++ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
++
+ }
+
- int result;
- AppInstReqUniquePtr request;
++RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
+ {
- prepare_app_env();
++ const char * const sm_app_id = "SM_TEST_01c_APPID";
++ const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
++ const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
+
- request.reset(do_app_inst_req_new());
++ InstallRequest requestInst;
++ requestInst.setAppId(sm_app_id);
++ requestInst.setPkgId(sm_pkg_id);
++
++ Api::install(requestInst);
++
++ /* Check records in the security-manager database */
++ check_app_after_install(sm_app_id, sm_pkg_id);
++
++ InstallRequest requestUninst;
++ requestUninst.setAppId(sm_app_id);
++ requestUninst.setPkgId(sm_pkg_id_wrong);
+
- result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting app id failed. Result: " << result);
++ Api::uninstall(requestUninst);
+
- result = security_manager_app_inst_req_set_pkg_id(request.get(), SM_PKG_ID2);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting pkg id failed. Result: " << result);
++ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+
- result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[0].c_str());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting allowed permission failed. Result: " << result);
- result = security_manager_app_inst_req_add_privilege(request.get(), SM_ALLOWED_PRIVILEGES[1].c_str());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting allowed permission failed. Result: " << result);
++}
+
- result = security_manager_app_inst_req_add_path(request.get(), SM_PRIVATE_PATH,
- SECURITY_MANAGER_PATH_PRIVATE);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting allowed path failed. Result: " << result);
++RUNNER_TEST(security_manager_02_app_install_uninstall_full)
++{
++ const char *const sm_app_id = "sm_test_02_app_id_full";
++ const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
+
- result = security_manager_app_inst_req_add_path(request.get(), SM_PUBLIC_RO_PATH,
- SECURITY_MANAGER_PATH_PUBLIC_RO);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting allowed path failed. Result: " << result);
++ prepare_app_env();
+
- result = security_manager_app_install(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "installing app failed. Result: " << result);
++ InstallRequest requestInst;
++ requestInst.setAppId(sm_app_id);
++ requestInst.setPkgId(sm_pkg_id);
++ requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
++ requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
++ requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
++ requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
+
- check_app_after_install(SM_APP_ID2, SM_PKG_ID2,
++ Api::install(requestInst);
+
+ /* Check records in the security-manager database */
- check_app_path_after_install();
-
- request.reset(do_app_inst_req_new());
++ check_app_after_install(sm_app_id, sm_pkg_id,
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
+
+ /* TODO: add parameters to this function */
- result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID2);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting app id failed. Result: " << result);
++ check_app_path_after_install(sm_app_id);
+
- result = security_manager_app_uninstall(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "uninstalling app failed. Result: " << result);
++ InstallRequest requestUninst;
++ requestUninst.setAppId(sm_app_id);
+
- check_app_after_uninstall(SM_APP_ID2, SM_PKG_ID2,
++ Api::uninstall(requestUninst);
+
+ /* Check records in the security-manager database,
+ * all previously allowed privileges should be removed */
- const char *const app_id = "sm_test_app_id_set_label_from_appid";
- const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
- const char *const expected_label = USER_APP_ID;
++ check_app_after_uninstall(sm_app_id, sm_pkg_id,
+ SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
+ }
+
+ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
+ {
- uninstall_app(app_id, pkg_id, false, true);
++ const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
++ const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
+ const char *const socketLabel = "not_expected_label";
++ std::string expected_label = generateAppLabel(app_id);
+ char *label = nullptr;
+ CStringPtr labelPtr;
+ int result;
+
- result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
- strlen(socketLabel), 0);
++ uninstall_app(app_id, pkg_id, true);
+ install_app(app_id, pkg_id);
+
+ struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
+ //Clean up before creating socket
+ unlink(SOCK_PATH);
+ int sock = socket(AF_UNIX, SOCK_STREAM, 0);
+ RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
+ SockUniquePtr sockPtr(&sock);
+ //Bind socket to address
+ result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
+ RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
+ //Set socket label to something different than expecedLabel
- result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
- strlen(socketLabel), 0);
++ result = smack_set_label_for_file(sock, XATTR_NAME_SMACKIPIN, socketLabel);
+ RUNNER_ASSERT_ERRNO_MSG(result == 0,
+ "Can't set socket label. Result: " << result);
- result = security_manager_set_process_label_from_appid(app_id);
- RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
- "security_manager_set_process_label_from_appid(" <<
- app_id << ") failed. Result: " << result);
++ result = smack_set_label_for_file(sock, XATTR_NAME_SMACKIPOUT, socketLabel);
+ RUNNER_ASSERT_ERRNO_MSG(result == 0,
+ "Can't set socket label. Result: " << result);
+
- char value[SMACK_LABEL_LEN + 1];
- ssize_t size;
- size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
- RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
- result = strcmp(expected_label, value);
++ Api::setProcessLabel(app_id);
+
- expected_label << " Actual: " << value);
++ result = smack_new_label_from_file(sock, XATTR_NAME_SMACKIPIN, &label);
++ RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
++ labelPtr.reset(label);
++ result = expected_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
- RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
- result = strcmp(expected_label, value);
++ expected_label << " Actual: " << label);
+
- expected_label << " Actual: " << value);
++ result = smack_new_label_from_file(sock, XATTR_NAME_SMACKIPOUT, &label);
++ RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
++ labelPtr.reset(label);
++ result = expected_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- result = strcmp(expected_label, label);
++ expected_label << " Actual: " << label);
+
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result >= 0,
+ " Error getting current process label");
+ RUNNER_ASSERT_MSG(label != nullptr,
+ " Process label is not set");
+ labelPtr.reset(label);
+
- uninstall_app(app_id, pkg_id, true, true);
++ result = expected_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0,
+ " Process label is incorrect. Expected: \"" << expected_label <<
+ "\" Actual: \"" << label << "\"");
+
- const char *const app_id = "sm_test_app_id_set_label_from_appid";
- const char *const pkg_id = "sm_test_pkg_id_set_label_from_appid";
- int result;
++ uninstall_app(app_id, pkg_id, true);
+ }
+
+ RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
+ {
- uninstall_app(app_id, pkg_id, false, true);
++ const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
++ const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
+
- result = security_manager_set_process_label_from_appid(app_id);
- RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS,
- "security_manager_set_process_label_from_appid(" <<
- app_id << ") failed. Result: " << result);
++ uninstall_app(app_id, pkg_id, true);
+ install_app(app_id, pkg_id);
+
- uninstall_app(app_id, pkg_id, true, true);
++ Api::setProcessLabel(app_id);
+
-
-
-static void prepare_request(AppInstReqUniquePtr &request,
++ uninstall_app(app_id, pkg_id, true);
+ }
+
- const char *const path)
++static void prepare_request(InstallRequest &request,
+ const char *const app_id,
+ const char *const pkg_id,
+ app_install_path_type pathType,
- int result;
- request.reset(do_app_inst_req_new());
++ const char *const path,
++ uid_t uid)
+ {
- result = security_manager_app_inst_req_set_app_id(request.get(), app_id);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting app id failed. Result: " << result);
++ request.setAppId(app_id);
++ request.setPkgId(pkg_id);
++ request.addPath(path, pathType);
++
++ if (uid != 0)
++ request.setUid(uid);
++}
++
++static uid_t getGlobalUserId(void)
++{
++ return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
++}
++
++static const std::string appDirPath(const TemporaryTestUser &user,
++ const std::string &appId, const std::string &pkgId)
++{
++ struct tzplatform_context *tzCtxPtr = nullptr;
+
- result = security_manager_app_inst_req_set_pkg_id(request.get(), pkg_id);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting pkg id failed. Result: " << result);
++ RUNNER_ASSERT(0 == tzplatform_context_create(&tzCtxPtr));
++ TzPlatformContextPtr tzCtxPtrSmart(tzCtxPtr);
+
- result = security_manager_app_inst_req_add_path(request.get(), path, pathType);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting allowed path failed. Result: " << result);
++ RUNNER_ASSERT_MSG(0 == tzplatform_context_set_user(tzCtxPtr, user.getUid()),
++ "Unable to set user <" << user.getUserName() << "> for tzplatform context");
+
-static struct passwd* get_app_pw()
++ const char *appDir = tzplatform_context_getenv(tzCtxPtr,
++ getGlobalUserId() == user.getUid() ? TZ_SYS_RW_APP : TZ_USER_APP);
++ RUNNER_ASSERT_MSG(nullptr != appDir,
++ "tzplatform_context_getenv failed"
++ << "for getting sys rw app of user <" << user.getUserName() << ">");
++
++ return std::string(appDir) + "/" + pkgId + "/" + appId;
+ }
+
++static const std::string nonAppDirPath(const TemporaryTestUser &user)
++{
++ return TMP_DIR + "/" + user.getUserName();
++}
+
- struct passwd *pw = nullptr;
- errno = 0;
- while(!(pw = getpwnam(APP_USER))) {
- RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
- }
- return pw;
++static const std::string uidToStr(const uid_t uid)
+ {
-RUNNER_CHILD_TEST(security_manager_04_app_install_uninstall_by_app_user)
++ return std::to_string(static_cast<unsigned int>(uid));
+ }
+
- AppInstReqUniquePtr request;
- struct passwd *pw = get_app_pw();
- const std::string user = std::to_string(static_cast<unsigned int>(pw->pw_uid));
++static void install_and_check(const char *const sm_app_id,
++ const char *const sm_pkg_id,
++ const TemporaryTestUser& user,
++ const std::string &appDir,
++ bool requestUid)
++{
++ InstallRequest requestPublic;
++
++ //install app for non-root user and try to register public path (should fail)
++ prepare_request(requestPublic, sm_app_id, sm_pkg_id,
++ SECURITY_MANAGER_PATH_PUBLIC, appDir.c_str(),
++ requestUid ? user.getUid() : 0);
++
++ Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
++
++ InstallRequest requestPrivate;
++
++ //install app for non-root user
++ //should fail (users may only register folders inside their home)
++ prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
++ SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
++ requestUid ? user.getUid() : 0);
++
++ Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
++
++ InstallRequest requestPrivateUser;
++
++ //install app for non-root user
++ //should succeed - this time i register folder inside user's home dir
++ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
++ SECURITY_MANAGER_PATH_RW, appDir.c_str(),
++ requestUid ? user.getUid() : 0);
++
++ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
++ requestPrivateUser.addPrivilege(privilege.c_str());
++
++ Api::install(requestPrivateUser);
++
++ check_app_permissions(sm_app_id, sm_pkg_id,
++ uidToStr(user.getUid()).c_str(),
++ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
++}
++
++static void createTestDir(const std::string &dir)
++{
++ mode_t dirMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
++ mode_t execFileMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
++ mode_t normalFileMode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
++
++ mktreeSafe(dir, dirMode);
++ creatSafe(dir + "/" + EXEC_FILE, execFileMode);
++ creatSafe(dir + "/" + NORMAL_FILE, normalFileMode);
++ symlinkSafe(dir + "/" + EXEC_FILE, dir + "/" + LINK_PREFIX + EXEC_FILE);
++ symlinkSafe(dir + "/" + NORMAL_FILE, dir + "/" + LINK_PREFIX + NORMAL_FILE);
++}
++
++static void createInnerAppDir(const std::string &dir, const std::string &nonAppDir)
++{
++ createTestDir(dir);
++
++ symlinkSafe(nonAppDir, dir + "/" + LINK_PREFIX + "non_app_dir");
++ symlinkSafe(nonAppDir + "/" + EXEC_FILE,
++ dir + "/" + LINK_PREFIX + "non_app_" + EXEC_FILE);
++ symlinkSafe(nonAppDir + "/" + NORMAL_FILE,
++ dir + "/" + LINK_PREFIX + "non_app_" + NORMAL_FILE);
++}
++
++static void generateAppDir(const TemporaryTestUser &user,
++ const std::string &appId, const std::string &pkgId)
++{
++ const std::string dir = appDirPath(user, appId, pkgId);
++ const std::string nonAppDir = nonAppDirPath(user);
++
++ createInnerAppDir(dir, nonAppDir);
++ createInnerAppDir(dir + "/.inner_dir", nonAppDir);
++ createInnerAppDir(dir + "/inner_dir", nonAppDir);
++}
++
++static void generateNonAppDir(const TemporaryTestUser &user)
++{
++ const std::string dir = nonAppDirPath(user);
++
++ createTestDir(dir);
++ createTestDir(dir + "/.inner_dir");
++ createTestDir(dir + "/inner_dir");
++}
++
++static void createTestDirs(const TemporaryTestUser &user,
++ const std::string &appId, const std::string &pkgId)
++{
++ generateAppDir(user, appId, pkgId);
++ generateNonAppDir(user);
++}
++
++static void removeTestDirs(const TemporaryTestUser &user,
++ const std::string &appId, const std::string &pkgId)
++{
++ removeDir(appDirPath(user, appId, pkgId));
++ removeDir(nonAppDirPath(user));
++}
++
++RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
+ {
+ int result;
- result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
++ const char *const sm_app_id = "sm_test_04a_app_id_uid";
++ const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
++ const std::string new_user_name = "sm_test_04a_user_name";
++
++ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
++ testUser.create();
++
++ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
++ createTestDirs(testUser, sm_app_id, sm_pkg_id);
++
++ const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
- //install app as non-root user and try to register public path (should fail)
- prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PUBLIC, SM_PRIVATE_PATH_FOR_USER);
++ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
- result = security_manager_app_install(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
- "installing app not failed. Result: " << result);
++ install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
+
- //install app as non-root user
- //should fail (non-root users may only register folders inside their home)
- prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH);
++ //uninstall app as non-root user
++ InstallRequest request;
++ request.setAppId(sm_app_id);
+
- result = security_manager_app_install(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED,
- "installing app not failed. Result: " << result);
++ Api::uninstall(request);
+
- //install app as non-root user
- //should succeed - this time i register folder inside user's home dir
- prepare_request(request, SM_APP_ID3, SM_PKG_ID3, SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH_FOR_USER);
++ check_app_permissions(sm_app_id, sm_pkg_id,
++ uidToStr(testUser.getUid()).c_str(),
++ SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
++}
+
- for (auto &privilege : SM_ALLOWED_PRIVILEGES) {
- result = security_manager_app_inst_req_add_privilege(request.get(), privilege.c_str());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting allowed permission failed. Result: " << result);
- }
++RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
++{
++ int result;
++ const char *const sm_app_id = "sm_test_04b_app_id_uid";
++ const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
++ const std::string new_user_name = "sm_test_04b_user_name";
+
- result = security_manager_app_install(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "installing app failed. Result: " << result);
++ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
++ testUser.create();
+
- check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
++ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
++ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
- //uninstall app as non-root user
- request.reset(do_app_inst_req_new());
++ install_and_check(sm_app_id, sm_pkg_id, testUser, appDirPath(testUser, sm_app_id, sm_pkg_id), true);
+
- result = security_manager_app_inst_req_set_app_id(request.get(), SM_APP_ID3);
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "setting app id failed. Result: " << result);
++ //switch user to non-root - root may not uninstall apps for specified users
++ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
- result = security_manager_app_uninstall(request.get());
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "uninstalling app failed. Result: " << result);
++ //uninstall app as non-root user
++ InstallRequest request;
++ request.setAppId(sm_app_id);
+
- check_app_permissions(SM_APP_ID3, SM_PKG_ID3, user.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
++ Api::uninstall(request);
+
- result = security_manager_drop_process_privileges();
- RUNNER_ASSERT_MSG((lib_retcode)result == SECURITY_MANAGER_SUCCESS,
- "dropping caps failed. Result: " << result);
++ check_app_permissions(sm_app_id, sm_pkg_id,
++ uidToStr(testUser.getUid()).c_str(),
++ SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+ }
+
++
+ RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
+ {
+ int result;
+ CapsSetsUniquePtr caps, caps_empty(cap_init());
+
+ caps.reset(cap_from_text("all=eip"));
+ RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
+ result = cap_set_proc(caps.get());
+ RUNNER_ASSERT_MSG(result == 0,
+ "can't set capabilities. Result: " << result);
+
++ Api::dropProcessPrivileges();
+
+ caps.reset(cap_get_proc());
+ RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
+
+ result = cap_compare(caps.get(), caps_empty.get());
+ RUNNER_ASSERT_MSG(result == 0,
+ "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
+ }
+
++RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
++{
++ const char *const app_id = "sm_test_06_app_id_install_app_offline";
++ const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
++
++ // Uninstall app on-line, off-line mode doesn't support it
++ uninstall_app(app_id, pkg_id, true);
++
++ ServiceManager("security-manager.service").stopService();
++
++ ServiceManager serviceManager("security-manager.socket");
++ serviceManager.stopService();
++
++ install_app(app_id, pkg_id);
++
++ serviceManager.startService();
++
++ uninstall_app(app_id, pkg_id, true);
++}
++
++RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
++{
++ const char *const sm_app_id = "sm_test_07_app_id_user";
++ const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
++ const std::string new_user_name = "sm_test_07_user_name";
++ std::string uid_string;
++ TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
++ test_user.create();
++ test_user.getUidString(uid_string);
++
++ removeTestDirs(test_user, sm_app_id, sm_pkg_id);
++ createTestDirs(test_user, sm_app_id, sm_pkg_id);
++
++ install_app(sm_app_id, sm_pkg_id, test_user.getUid());
++
++ check_app_after_install(sm_app_id, sm_pkg_id);
++
++ test_user.remove();
++
++ check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
++
++ check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
++}
++
++RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
++{
++ UserRequest addUserRequest;
++
++ const char *const sm_app_id = "sm_test_08_app_id_user";
++ const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
++ const std::string new_user_name = "sm_test_08_user_name";
++ std::string uid_string;
++
++ // gumd user add
++ TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
++ test_user.create();
++ test_user.getUidString(uid_string);
++
++ removeTestDirs(test_user, sm_app_id, sm_pkg_id);
++ createTestDirs(test_user, sm_app_id, sm_pkg_id);
++
++ addUserRequest.setUid(test_user.getUid());
++ addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
++
++ //sm user add
++ Api::addUser(addUserRequest);
++
++ install_app(sm_app_id, sm_pkg_id, test_user.getUid());
++
++ check_app_after_install(sm_app_id, sm_pkg_id);
++
++ test_user.remove();
++
++ UserRequest deleteUserRequest;
++ deleteUserRequest.setUid(test_user.getUid());
++
++ Api::deleteUser(deleteUserRequest);
++
++ check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
++
++ check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
++}
++
++RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
++{
++ const char *const app_id = "security_manager_09_add_user_offline_app";
++ const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
++ const std::string new_user_name("sm_test_09_user_name");
++
++ ServiceManager("security-manager.service").stopService();
++
++ ServiceManager serviceManager("security-manager.socket");
++ serviceManager.stopService();
++
++ TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
++ test_user.create();
++
++ removeTestDirs(test_user, app_id, pkg_id);
++ createTestDirs(test_user, app_id, pkg_id);
++
++ install_app(app_id, pkg_id, test_user.getUid());
++
++ check_app_after_install(app_id, pkg_id);
++
++ serviceManager.startService();
++
++ test_user.remove();
++
++ check_app_after_uninstall(app_id, pkg_id, true);
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
++{
++ //TEST DATA
++ const std::string username("sm_test_10_user_name");
++ unsigned int privileges_count = 0;
++
++ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
++ std::map<std::string, std::set<std::string>> apps2PrivsMap;
++
++ for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
++ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
++ MANY_APPS.at(i), std::set<std::string>(
++ MANY_APPS_PRIVILEGES.at(i).begin(),
++ MANY_APPS_PRIVILEGES.at(i).end())));
++ privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
++ };
++
++ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
++ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
++ ++privileges_count;
++ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
++ //TEST DATA END
++
++ sem_t *mutex;
++ errno = 0;
++ RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
++ pid_t pid = fork();
++
++ if (pid != 0) { //parent process
++ TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
++ tmpUser.create();
++
++ for(const auto &user : users2AppsMap) {
++
++ for(const auto &app : user.second) {
++ InstallRequest requestInst;
++ requestInst.setAppId(app.first.c_str());
++ try {
++ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
++ } catch (const std::out_of_range &e) {
++ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
++ };
++ requestInst.setUid(tmpUser.getUid());
++
++ for (const auto &privilege : app.second) {
++ requestInst.addPrivilege(privilege.c_str());
++ };
++
++ Api::install(requestInst);
++ };
++
++ //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
++ };
++ //Start child process
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
++
++ int status;
++ wait(&status);
++
++ tmpUser.remove();
++ };
++
++ if (pid == 0) { //child process
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
++ //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
++
++ struct passwd *pw = getUserStruct(username);
++ register_current_process_as_privilege_manager(pw->pw_uid);
++ int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ std::vector<PolicyEntry> policyEntries;
++ PolicyEntry filter;
++ Api::getPolicy(filter, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
++ RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
++
++ for (const auto &policyEntry : policyEntries) {
++ std::string user = policyEntry.getUser();
++ std::string app = policyEntry.getAppId();
++ std::string privilege = policyEntry.getPrivilege();
++
++ try {
++ struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
++ std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
++ if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
++ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
++ } catch (const std::out_of_range &e) {
++ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
++ } catch (const std::invalid_argument& e) {
++ RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
++ };
++ };
++ exit(0);
++ };
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
++{
++ //TEST DATA
++ const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
++ unsigned int privileges_count = 0;
++
++ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
++ std::map<std::string, std::set<std::string>> apps2PrivsMap;
++
++ for (const auto &username : usernames) {
++ //Only entries for one of the users will be listed
++ privileges_count = 0;
++
++ for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
++ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
++ MANY_APPS.at(i), std::set<std::string>(
++ MANY_APPS_PRIVILEGES.at(i).begin(),
++ MANY_APPS_PRIVILEGES.at(i).end())));
++ privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
++ };
++
++ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
++ };
++
++ users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
++ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
++
++ ++privileges_count;
++ //TEST DATA END
++
++ sem_t *mutex;
++ errno = 0;
++ RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
++ pid_t pid = fork();
++
++ if (pid != 0) { //parent process
++ std::vector<TemporaryTestUser> users = {
++ TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
++ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
++ };
++
++ users.at(0).create();
++ users.at(1).create();
++
++ //Install apps for both users
++ for(const auto &user : users) {
++ for(const auto &app : users2AppsMap.at(user.getUserName())) {
++ InstallRequest requestInst;
++ requestInst.setAppId(app.first.c_str());
++ try {
++ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
++ } catch (const std::out_of_range &e) {
++ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
++ };
++ requestInst.setUid(user.getUid());
++
++ for (const auto &privilege : app.second) {
++ requestInst.addPrivilege(privilege.c_str());
++ };
++
++ Api::install(requestInst);
++ };
++
++ //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
++ };
++ //Start child
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
++
++ int status;
++ wait(&status);
++
++ for(auto &user : users) {
++ user.remove();
++ };
++ };
++
++ if (pid == 0) {
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
++ struct passwd *pw = getUserStruct(usernames.at(0));
++ register_current_process_as_privilege_manager(pw->pw_uid);
++
++ //change uid to normal user
++ errno = 0;
++ int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ std::vector<PolicyEntry> policyEntries;
++ PolicyEntry filter;
++
++ //this call should only return privileges belonging to the current uid
++ Api::getPolicy(filter, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
++ RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
++
++ for (const auto &policyEntry : policyEntries) {
++ std::string user = policyEntry.getUser();
++ std::string app = policyEntry.getAppId();
++ std::string privilege = policyEntry.getPrivilege();
++
++ try {
++ struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
++ std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
++ if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
++ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
++ } catch (const std::out_of_range &e) {
++ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
++ } catch (const std::invalid_argument& e) {
++ RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
++ };
++ };
++ exit(0);
++ };
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
++{
++ //TEST DATA
++ const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
++ unsigned int privileges_count = 0;
++
++ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
++ std::map<std::string, std::set<std::string>> apps2PrivsMap;
++
++ for (const auto &username : usernames) {
++
++ for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
++ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
++ MANY_APPS.at(i), std::set<std::string>(
++ MANY_APPS_PRIVILEGES.at(i).begin(),
++ MANY_APPS_PRIVILEGES.at(i).end())));
++ privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
++ };
++
++ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
++ };
++
++ users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
++ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
++
++ privileges_count += 2;
++ //TEST DATA END
++
++ sem_t *mutex;
++ errno = 0;
++ RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
++ pid_t pid = fork();
++
++ if (pid != 0) { //parent process
++ std::vector<TemporaryTestUser> users = {
++ TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
++ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
++ };
++
++ users.at(0).create();
++ users.at(1).create();
++ //Install apps for both users
++ for(const auto &user : users) {
++ for(const auto &app : users2AppsMap.at(user.getUserName())) {
++ InstallRequest requestInst;
++ requestInst.setAppId(app.first.c_str());
++ try {
++ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
++ } catch (const std::out_of_range &e) {
++ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
++ };
++ requestInst.setUid(user.getUid());
++
++ for (const auto &privilege : app.second) {
++ requestInst.addPrivilege(privilege.c_str());
++ };
++
++ Api::install(requestInst);
++ };
++
++ //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
++ };
++
++ //Start child
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
++
++ //Wait for child to finish
++ int status;
++ wait(&status);
++
++ for(auto &user : users) {
++ user.remove();
++ };
++ };
++
++ if (pid == 0) { //child process
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
++
++ struct passwd *pw = getUserStruct(usernames.at(1));
++ register_current_process_as_privilege_manager(pw->pw_uid, true);
++
++ //change uid to normal user
++ int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ std::vector<PolicyEntry> policyEntries;
++ PolicyEntry filter;
++ //this call should succeed as the calling user is privileged
++ Api::getPolicy(filter, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
++ RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
++
++ for (const auto &policyEntry : policyEntries) {
++ std::string user = policyEntry.getUser();
++ std::string app = policyEntry.getAppId();
++ std::string privilege = policyEntry.getPrivilege();
++
++ try {
++ struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
++ std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
++ if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
++ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
++ } catch (const std::out_of_range &e) {
++ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
++ } catch (const std::invalid_argument& e) {
++ RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
++ };
++ };
++
++ exit(0);
++ };
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
++{
++ //TEST DATA
++ const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
++
++ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
++ std::map<std::string, std::set<std::string>> apps2PrivsMap;
++
++ for (const auto &username : usernames) {
++
++ for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
++ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
++ MANY_APPS.at(i), std::set<std::string>(
++ MANY_APPS_PRIVILEGES.at(i).begin(),
++ MANY_APPS_PRIVILEGES.at(i).end())));
++ };
++
++ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
++ };
++
++ users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
++ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
++
++ //TEST DATA END
++
++ pid_t pid[2];
++ sem_t *mutex[2];
++ errno = 0;
++ RUNNER_ASSERT_MSG(((mutex[0] = sem_open("mutex_1", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #1, errno: " << errno);
++ errno = 0;
++ RUNNER_ASSERT_MSG(((mutex[1] = sem_open("mutex_2", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #2, errno: " << errno);
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_init(mutex[0], 1, 0) == 0, "failed to setup mutex #1, errno: " << errno);
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_init(mutex[1], 1, 0) == 0, "failed to setup mutex #2, errno: " << errno);
++ std::vector<PolicyEntry> policyEntries;
++
++ pid[0] = fork();
++
++ if(pid[0] == 0) { //child #1 process
++ RUNNER_ASSERT_MSG(sem_wait(mutex[0]) == 0, "sem_wait in child #1 failed, errno: " << errno);
++ struct passwd *pw = getUserStruct(usernames.at(0));
++ register_current_process_as_privilege_manager(pw->pw_uid);
++
++ //change uid to normal user
++ int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ PolicyEntry filter;
++ PolicyRequest policyRequest;
++ //this call should succeed as the calling user is privileged
++ Api::getPolicyForSelf(filter, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
++
++ PolicyEntry policyEntry(
++ MANY_APPS[0],
++ std::to_string(pw->pw_uid),
++ "http://tizen.org/privilege/internet"
++ );
++ policyEntry.setLevel("Deny");
++
++ policyRequest.addEntry(policyEntry);
++ policyEntry = PolicyEntry(
++ MANY_APPS[1],
++ std::to_string(pw->pw_uid),
++ "http://tizen.org/privilege/location"
++ );
++ policyEntry.setLevel("Deny");
++
++ policyRequest.addEntry(policyEntry);
++ Api::sendPolicy(policyRequest);
++ Api::getPolicyForSelf(filter, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
++ exit(0);
++ };
++
++ if (pid[0] != 0) {//parent process
++ pid[1] = fork();
++
++ if (pid[1] == 0) { //child #2 process
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_wait(mutex[1]) == 0, "sem_wait in child #2 failed, errno: " << errno);
++ struct passwd *pw_target = getUserStruct(usernames.at(0));
++ struct passwd *pw = getUserStruct(usernames.at(1));
++ register_current_process_as_privilege_manager(pw->pw_uid);
++
++ //change uid to normal user
++ int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ PolicyEntry filter = PolicyEntry(
++ SECURITY_MANAGER_ANY,
++ std::to_string(pw_target->pw_uid),
++ SECURITY_MANAGER_ANY
++ );
++
++ //U2 requests contents of U1 privacy manager - should fail
++ Api::getPolicyForSelf(filter, policyEntries);
++ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
++
++ filter = PolicyEntry(
++ SECURITY_MANAGER_ANY,
++ SECURITY_MANAGER_ANY,
++ SECURITY_MANAGER_ANY
++ );
++
++ policyEntries.clear();
++
++ //U2 requests contents of ADMIN bucket - should fail
++ Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
++ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
++ exit(0);
++ };
++
++ if (pid[1] != 0) { //parent
++
++ std::vector<TemporaryTestUser> users = {
++ TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
++ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
++ };
++
++ users.at(0).create();
++ users.at(1).create();
++
++ //Install apps for both users
++ for(const auto &user : users2AppsMap) {
++
++ for(const auto &app : user.second) {
++ InstallRequest requestInst;
++ requestInst.setAppId(app.first.c_str());
++ try {
++ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
++ } catch (const std::out_of_range &e) {
++ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
++ };
++ requestInst.setUid(users.at(0).getUid());
++
++ for (const auto &privilege : app.second) {
++ requestInst.addPrivilege(privilege.c_str());
++ };
++
++ Api::install(requestInst);
++ };
++
++ //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
++ };
++
++ int status;
++ //Start child #1
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_post(mutex[0]) == 0, "Error while opening mutex #1, errno: " << errno);
++
++ //Wait until child #1 finishes
++ pid_t ret = wait(&status);
++ RUNNER_ASSERT_MSG((ret != -1) && WIFEXITED(status), "Updating privileges failed");
++
++ //Start child #2
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_post(mutex[1]) == 0, "Error while opening mutex #2, errno: " << errno);
++ //Wait until child #2 finishes
++ ret = wait(&status);
++ RUNNER_ASSERT_MSG((ret =-1) && WIFEXITED(status), "Listing privileges failed");
++
++ for(auto &user : users) {
++ user.remove();
++ };
++
++ sem_close(mutex[0]);
++ sem_close(mutex[1]);
++ };
++ };
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
++{
++ //TEST DATA
++ const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
++ unsigned int privileges_count = 0;
++
++ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
++ std::map<std::string, std::set<std::string>> apps2PrivsMap;
++
++ for (const auto &username : usernames) {
++
++ for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
++ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
++ MANY_APPS.at(i), std::set<std::string>(
++ MANY_APPS_PRIVILEGES.at(i).begin(),
++ MANY_APPS_PRIVILEGES.at(i).end())));
++ privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
++ };
++
++ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
++ };
++
++ users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
++ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
++
++ privileges_count += 2;
++ //TEST DATA END
++ sem_t *mutex;
++ errno = 0;
++ RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
++
++ pid_t pid = fork();
++ if (pid != 0) {
++ std::vector<TemporaryTestUser> users = {
++ TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
++ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
++ };
++
++ users.at(0).create();
++ users.at(1).create();
++
++ //Install apps for both users
++ for(const auto &user : users) {
++
++ for(const auto &app : users2AppsMap.at(user.getUserName())) {
++ InstallRequest requestInst;
++ requestInst.setAppId(app.first.c_str());
++ try {
++ requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
++ } catch (const std::out_of_range &e) {
++ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
++ };
++ requestInst.setUid(user.getUid());
++
++ for (const auto &privilege : app.second) {
++ requestInst.addPrivilege(privilege.c_str());
++ };
++
++ Api::install(requestInst);
++ };
++ };
++ //Start child process
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
++ int status;
++ //Wait for child process to finish
++ wait(&status);
++
++ //switch back to root
++ for(auto &user : users) {
++ user.remove();
++ };
++
++ sem_close(mutex);
++ }
++
++ if (pid == 0) { //child process
++ errno = 0;
++ RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
++
++ struct passwd *pw = getUserStruct(usernames.at(0));
++ register_current_process_as_privilege_manager(pw->pw_uid, true);
++
++ //change uid to normal user
++ int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ PolicyRequest *policyRequest = new PolicyRequest();
++ PolicyEntry filter;
++ std::vector<PolicyEntry> policyEntries;
++ //this call should succeed as the calling user is privileged
++ Api::getPolicyForSelf(filter, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
++
++ PolicyEntry policyEntry(
++ SECURITY_MANAGER_ANY,
++ SECURITY_MANAGER_ANY,
++ "http://tizen.org/privilege/internet"
++ );
++ policyEntry.setMaxLevel("Deny");
++
++ policyRequest->addEntry(policyEntry);
++ policyEntry = PolicyEntry(
++ SECURITY_MANAGER_ANY,
++ SECURITY_MANAGER_ANY,
++ "http://tizen.org/privilege/location"
++ );
++ policyEntry.setMaxLevel("Deny");
++
++ policyRequest->addEntry(policyEntry);
++ Api::sendPolicy(*policyRequest);
++ Api::getPolicyForAdmin(filter, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
++
++ delete policyRequest;
++ policyRequest = new PolicyRequest();
++ policyEntry = PolicyEntry(
++ SECURITY_MANAGER_ANY,
++ SECURITY_MANAGER_ANY,
++ "http://tizen.org/privilege/internet"
++ );
++ policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
++ policyRequest->addEntry(policyEntry);
++
++ policyEntry = PolicyEntry(
++ SECURITY_MANAGER_ANY,
++ SECURITY_MANAGER_ANY,
++ "http://tizen.org/privilege/location"
++ );
++ policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
++
++ policyRequest->addEntry(policyEntry);
++ Api::sendPolicy(*policyRequest);
++
++ policyEntries.clear();
++ Api::getPolicyForAdmin(filter, policyEntries);
++ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
++
++ delete policyRequest;
++
++ exit(0);
++ };
++
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
++{
++ const char *const update_app_id = "security_manager_15_update_app_id";
++ const char *const update_privilege = "http://tizen.org/privilege/led";
++ const char *const check_start_bucket = "ADMIN";
++ const std::string username("sm_test_15_username");
++ PolicyRequest addPolicyRequest;
++ CynaraTestAdmin::Admin admin;
++
++ struct message {
++ uid_t uid;
++ gid_t gid;
++ } msg;
++
++ int pipefd[2];
++ pid_t pid;
++ int result = 0;
++
++ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
++
++ TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
++ user.create();
++
++ pid = fork();
++ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
++ if (pid != 0)//parent process
++ {
++ FdUniquePtr pipeptr(pipefd+1);
++ close(pipefd[0]);
++
++ register_current_process_as_privilege_manager(user.getUid(), true);
++
++ //send info to child
++ msg.uid = user.getUid();
++ msg.gid = user.getGid();
++
++ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
++
++ //wait for child
++ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
++
++ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
++ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
++ }
++ if(pid == 0)
++ {
++ FdUniquePtr pipeptr(pipefd);
++ close(pipefd[1]);
++
++ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
++
++ //become admin privacy manager manager
++ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
++ result = drop_root_privileges(msg.uid, msg.gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
++ entry.setMaxLevel("Allow");
++
++ addPolicyRequest.addEntry(entry);
++ Api::sendPolicy(addPolicyRequest);
++ exit(0);
++ }
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
++{
++ const char *const update_other_app_id = "security_manager_15_update_other_app_id";
++ const char *const update_privilege = "http://tizen.org/privilege/led";
++ const char *const check_start_bucket = "ADMIN";
++ const std::string username("sm_test_15_username");
++ PolicyRequest addPolicyRequest;
++ CynaraTestAdmin::Admin admin;
++
++ struct message {
++ uid_t uid;
++ gid_t gid;
++ } msg;
++
++ int pipefd[2];
++ pid_t pid;
++ int result = 0;
++
++ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
++
++ TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
++ user.create();
++
++ pid = fork();
++ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
++ if (pid != 0)//parent process
++ {
++ FdUniquePtr pipeptr(pipefd+1);
++ close(pipefd[0]);
++
++ register_current_process_as_privilege_manager(user.getUid(), true);
++
++ //send info to child
++ msg.uid = user.getUid();
++ msg.gid = user.getGid();
++
++ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
++
++ //wait for child
++ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
++
++ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
++ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
++ }
++ if(pid == 0)
++ {
++ FdUniquePtr pipeptr(pipefd);
++ close(pipefd[1]);
++
++ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
++
++ //become admin privacy manager manager
++ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
++ result = drop_root_privileges(msg.uid, msg.gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ // use wildcard as appId
++ PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
++ entry.setMaxLevel("Allow");
++
++ addPolicyRequest.addEntry(entry);
++ Api::sendPolicy(addPolicyRequest);
++ exit(0);
++ }
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
++{
++ const char *const update_app_id = "security_manager_15_update_app_id";
++ const char *const update_privilege = "http://tizen.org/privilege/led";
++ const char *const check_start_bucket = "";
++ const std::string username("sm_test_15_username");
++ PolicyRequest addPolicyRequest;
++ CynaraTestAdmin::Admin admin;
++
++ struct message {
++ uid_t uid;
++ gid_t gid;
++ } msg;
++
++ int pipefd[2];
++ pid_t pid;
++ int result = 0;
++
++ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
++
++ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
++ user.create();
++
++ pid = fork();
++ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
++ if (pid != 0)//parent process
++ {
++ FdUniquePtr pipeptr(pipefd+1);
++ close(pipefd[0]);
++
++ register_current_process_as_privilege_manager(user.getUid(), false);
++
++ //send info to child
++ msg.uid = user.getUid();
++ msg.gid = user.getGid();
++
++ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
++
++ //wait for child
++ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
++
++ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
++ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
++ }
++ if(pid == 0)
++ {
++ FdUniquePtr pipeptr(pipefd);
++ close(pipefd[1]);
++
++ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
++
++ //become admin privacy manager manager
++ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
++ result = drop_root_privileges(msg.uid, msg.gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
++ entry.setLevel("Allow");
++
++ addPolicyRequest.addEntry(entry);
++ Api::sendPolicy(addPolicyRequest);
++ exit(0);
++ }
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get)
++{
++ const std::string username("sm_test_16_user_cynara_policy");
++ CynaraTestAdmin::Admin admin;
++ int pipefd[2];
++ pid_t pid;
++ int result = 0;
++
++ struct message {
++ uid_t uid;
++ gid_t gid;
++ } msg;
++
++ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
++
++ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
++ user.create();
++
++ pid = fork();
++ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
++ if (pid != 0)//parent process
++ {
++ FdUniquePtr pipeptr(pipefd+1);
++ close(pipefd[0]);
++
++ //send info to child
++ msg.uid = user.getUid();
++ msg.gid = user.getGid();
++
++ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
++
++ //wait for child
++ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
++ }
++ if(pid == 0)
++ {
++ int ret;
++ char** levels;
++ std::string allow_policy, deny_policy;
++ size_t count;
++ FdUniquePtr pipeptr(pipefd);
++ close(pipefd[1]);
++
++ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
++
++ //become admin privacy manager manager
++ result = drop_root_privileges(msg.uid, msg.gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ // without plugins there should only be 2 policies - Allow and Deny
++ ret = security_manager_policy_levels_get(&levels, &count);
++
++ RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
++ "Invlid return code: " << ret);
++
++ RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast<int>(count));
++
++ deny_policy = std::string(levels[0]);
++ allow_policy = std::string(levels[count-1]);
++
++ // first should always be Deny
++ RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
++ "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
++
++ // last should always be Allow
++ RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
++ "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
++
++ security_manager_policy_levels_free(levels, count);
++ exit(0);
++ }
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
++{
++ const char *const update_app_id = "security_manager_17_update_app_id";
++ const char *const update_privilege = "http://tizen.org/privilege/led";
++ const char *const check_start_bucket = "";
++ const std::string username("sm_test_17_username");
++ PolicyRequest addPolicyRequest;
++ CynaraTestAdmin::Admin admin;
++
++ struct message {
++ uid_t uid;
++ gid_t gid;
++ } msg;
++
++ int pipefd[2];
++ int pipefd2[2];
++ pid_t pid;
++ int result = 0;
++
++ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
++ RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
++
++ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
++ user.create();
++
++ pid = fork();
++ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
++ if (pid != 0)//parent process
++ {
++ FdUniquePtr pipeptr(pipefd+1);
++ close(pipefd[0]);
++
++ register_current_process_as_privilege_manager(user.getUid(), false);
++
++ //send info to child
++ msg.uid = user.getUid();
++ msg.gid = user.getGid();
++
++ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
++
++ //wait for child
++ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
++
++ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
++ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
++
++ pid = fork();
++ if (pid != 0)//parent process
++ {
++ FdUniquePtr pipeptr(pipefd2+1);
++ close(pipefd2[0]);
++
++ //send info to child
++ msg.uid = user.getUid();
++ msg.gid = user.getGid();
++
++ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
++
++ //wait for child
++ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
++
++ //wait for child
++ waitpid(-1, &result, 0);
++
++ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
++ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
++ }
++ if(pid == 0)
++ {
++ FdUniquePtr pipeptr(pipefd2);
++ close(pipefd2[1]);
++
++ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
++
++ //become admin privacy manager manager
++ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
++ result = drop_root_privileges(msg.uid, msg.gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ // delete this entry
++ PolicyRequest deletePolicyRequest;
++ PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
++ deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
++
++ deletePolicyRequest.addEntry(deleteEntry);
++ Api::sendPolicy(deletePolicyRequest);
++ exit(0);
++ }
++ }
++ if(pid == 0)
++ {
++ FdUniquePtr pipeptr(pipefd);
++ close(pipefd[1]);
++
++ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
++
++ //become admin privacy manager manager
++ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
++ result = drop_root_privileges(msg.uid, msg.gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
++ entry.setLevel("Allow");
++
++ addPolicyRequest.addEntry(entry);
++ Api::sendPolicy(addPolicyRequest);
++ exit(0);
++ }
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
++{
++ const std::string username("sm_test_17_user_name");
++
++ struct message {
++ uid_t uid;
++ gid_t gid;
++ unsigned int privileges_count;
++ } msg;
++
++ int pipefd[2];
++ pid_t pid;
++ int result = 0;
++
++ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
++
++ pid = fork();
++ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
++ if (pid != 0)//parent process
++ {
++ FdUniquePtr pipeptr(pipefd+1);
++ close(pipefd[0]);
++
++ TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
++ user.create();
++
++ unsigned int privileges_count = 0;
++
++ register_current_process_as_privilege_manager(user.getUid(), false);
++ //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
++ ++privileges_count;
++
++ for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
++ InstallRequest requestInst;
++ requestInst.setAppId(MANY_APPS[i].c_str());
++ requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str());
++ requestInst.setUid(user.getUid());
++
++ for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) {
++ requestInst.addPrivilege(priv.c_str());
++ };
++
++ Api::install(requestInst);
++ privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
++ };
++
++ //send info to child
++ msg.uid = user.getUid();
++ msg.gid = user.getGid();
++ msg.privileges_count = privileges_count;
++
++ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
++
++ //wait for child
++ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
++ }
++ if(pid == 0)
++ {
++ FdUniquePtr pipeptr(pipefd);
++ close(pipefd[1]);
++
++ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
++
++ //become admin privacy manager manager
++ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
++ result = drop_root_privileges(msg.uid, msg.gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++
++ // filter by privilege
++ std::vector<PolicyEntry> policyEntries;
++ PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
++ Api::getPolicy(filter, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
++ RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
++
++ // filter by other privilege
++ policyEntries.clear();
++ PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
++ Api::getPolicy(filter2, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
++ RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
++
++ // filter by appId
++ policyEntries.clear();
++ PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
++ Api::getPolicy(filter3, policyEntries);
++
++ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
++ RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
++ }
++}
++
++RUNNER_CHILD_TEST(security_manager_10_user_cynara_policy)
++{
++ const char *const MAIN_BUCKET = "MAIN";
++ const char *const MANIFESTS_BUCKET = "MANIFESTS";
++ const char *const ADMIN_BUCKET = "ADMIN";
++ const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
++ const std::string username("sm_test_10_user_cynara_policy");
++ CynaraTestAdmin::Admin admin;
++ std::string uid_string;
++ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
++ user.create();
++ user.getUidString(uid_string);
++
++ CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
++ nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
++ admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
++
++ user.remove();
++ CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
++
++ admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
++ admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
++ admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
++ admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
++}
++
++RUNNER_CHILD_TEST(security_manager_11_security_manager_cmd_install)
++{
++ int ret;
++ const int SUCCESS = 0;
++ const int FAILURE = 256;
++ const std::string app_id = "security_manager_10_app";
++ const std::string pkg_id = "security_manager_10_pkg";
++ const std::string username("sm_test_10_user_name");
++ std::string uid_string;
++ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
++ user.create();
++ user.getUidString(uid_string);
++ const std::string path1 = appDirPath(user, app_id, pkg_id) + "/p1";
++ const std::string path2 = appDirPath(user, app_id, pkg_id) + "/p2";
++ const std::string pkgopt = " --pkg=" + pkg_id;
++ const std::string appopt = " --app=" + app_id;
++ const std::string uidopt = " --uid=" + uid_string;
++
++ mktreeSafe(path1.c_str(), 0);
++ mktreeSafe(path2.c_str(), 0);
++
++ const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
++
++ struct operation {
++ std::string command;
++ int expected_result;
++ };
++ std::vector<struct operation> operations = {
++ {"security-manager-cmd", FAILURE},//no option
++ {"security-manager-cmd --blah", FAILURE},//blah option is not known
++ {"security-manager-cmd --help", SUCCESS},
++ {"security-manager-cmd --install", FAILURE},//no params
++ {"security-manager-cmd -i", FAILURE},//no params
++ {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
++ {installcmd, SUCCESS},
++ {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
++ {installcmd + " --path " + path1 + " writable", SUCCESS},
++ {installcmd + " --path " + path1, FAILURE},//no path type
++ {installcmd + " --path " + path1 + " writable" + " --path " + path2 + " readable", SUCCESS},
++ {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " readable", FAILURE},//wrong path type
++ {installcmd + " --path " + path1 + " writable" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
++ };
++
++ for (auto &op : operations) {
++ ret = system(op.command.c_str());
++ RUNNER_ASSERT_MSG(ret == op.expected_result,
++ "Unexpected result for command '" << op.command <<"': "
++ << ret << " Expected was: "<< op.expected_result);
++ }
++}
++
++RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users)
++{
++ int ret;
++ const int SUCCESS = 0;
++ const int FAILURE = 256;
++ const std::string username("sm_test_11_user_name");
++ std::string uid_string;
++ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
++ user.create();
++ user.getUidString(uid_string);
++ const std::string uidopt = " --uid=" + uid_string;
++
++ struct operation {
++ std::string command;
++ int expected_result;
++ };
++ std::vector<struct operation> operations = {
++ {"security-manager-cmd --manage-users=remove", FAILURE},//no params
++ {"security-manager-cmd -m", FAILURE},//no params
++ {"security-manager-cmd -mr", FAILURE},//no uid
++ {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
++ {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
++ {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
++ {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
++ {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
++ {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
++ {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
++ {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
++ };
++
++ for (auto &op : operations) {
++ ret = system(op.command.c_str());
++ RUNNER_ASSERT_MSG(ret == op.expected_result,
++ "Unexpected result for command '" << op.command <<"': "
++ << ret << " Expected was: "<< op.expected_result);
++ }
++}
++
++RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
++{
++ const int BUFFER_SIZE = 128;
++ struct message {
++ uid_t uid;
++ gid_t gid;
++ char buf[BUFFER_SIZE];
++ } msg;
++
++ privileges_t admin_required_privs = {
++ "http://tizen.org/privilege/systemsettings.admin",
++ "http://tizen.org/privilege/systemsettings"};
++ privileges_t manifest_privs = {
++ "http://tizen.org/privilege/internet",
++ "http://tizen.org/privilege/camera"};
++ privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
++ privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
++
++ const std::string pirivman_id = "sm_test_13_ADMIN_APP";
++ const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
++ const std::string app_id = "sm_test_13_SOME_APP";
++ const std::string pkg_id = "sm_test_13_SOME_PKG";
++
++ int pipefd[2];
++ pid_t pid;
++ int result = 0;
++
++ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
++ pid = fork();
++ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
++ if (pid != 0)//parent process
++ {
++ std::string childuidstr;
++ TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
++ TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
++
++ InstallRequest request,request2;
++ FdUniquePtr pipeptr(pipefd+1);
++ close(pipefd[0]);
++
++ admin.create();
++ child.create();
++ child.getUidString(childuidstr);
++
++ //install privacy manager for admin
++ request.setAppId(pirivman_id.c_str());
++ request.setPkgId(pirivman_pkg_id.c_str());
++ request.setUid(admin.getUid());
++ for (auto &priv: admin_required_privs)
++ request.addPrivilege(priv.c_str());
++ Api::install(request);
++
++ //install app for child that has internet privilege
++ request2.setAppId(app_id.c_str());
++ request2.setPkgId(pkg_id.c_str());
++ request2.setUid(child.getUid());
++ for (auto &priv: manifest_privs)
++ request2.addPrivilege(priv.c_str());
++ Api::install(request2);
++
++ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
++ manifest_privs, SM_NO_PRIVILEGES);
++
++ //send info to child
++ msg.uid = admin.getUid();
++ msg.gid = admin.getGid();
++ strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
++
++ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
++
++ //wait for child
++ RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
++
++ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
++ real_privs_allow, real_privs_deny);
++ }
++ if (pid == 0)//child
++ {
++ FdUniquePtr pipeptr(pipefd);
++ close(pipefd[1]);
++
++ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
++ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
++
++ //become admin privacy manager manager
++ Api::setProcessLabel(pirivman_id.c_str());
++ result = drop_root_privileges(msg.uid, msg.gid);
++ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
++ PolicyRequest addPolicyReq;
++ //change rights
++ for (auto &denypriv:real_privs_deny) {
++ /*this entry will deny some privileges for user whose uid (as c string)
++ was sent in message's buf field.
++ That user would be denying internet for child in this case*/
++ PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
++ entry.setMaxLevel("Deny");
++ addPolicyReq.addEntry(entry);
++ }
++ Api::sendPolicy(addPolicyReq);
++ exit(0);
++ }
++}
++
+ int main(int argc, char *argv[])
+ {
+ return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
+ }
projects / platform / core / test / security-tests.git / commitdiff