* limitations under the License.
*/
-#include <cstdlib>
-#include <fcntl.h>
-#include <fstream>
-#include <map>
-#include <regex>
-#include <stdio.h>
-#include <string>
-#include <sys/smack.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <unordered_set>
-
-#include <cynara_test_admin.h>
#include <dpl/test/test_runner.h>
-#include <sm_api.h>
-#include <sm_commons.h>
-#include <sm_db.h>
-#include <sm_policy_request.h>
-#include <sm_request.h>
-#include <temp_test_user.h>
-#include <tests_common.h>
-#include <tzplatform.h>
-
-using namespace SecurityManagerTest;
-
-RUNNER_TEST_GROUP_INIT(SECRUTIY_MANAGER_POLICY)
-
-RUNNER_TEST(security_manager_18_user_cynara_policy)
-{
- const char *const MAIN_BUCKET = "MAIN";
- const char *const MANIFESTS_BUCKET = "MANIFESTS";
- const char *const ADMIN_BUCKET = "ADMIN";
- const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
- const std::string username("sm_test_10_user_cynara_policy");
- CynaraTestAdmin::Admin admin;
- std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
- user.create();
- user.getUidString(uid_string);
-
- CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
- nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
- admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
-
- user.remove();
- CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
-
- admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
- admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
- admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
- admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
-}
-
-RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
-{
- const int BUFFER_SIZE = 128;
- struct message {
- uid_t uid;
- gid_t gid;
- char buf[BUFFER_SIZE];
- } msg;
-
- privileges_t admin_required_privs = {
- "http://tizen.org/privilege/notexist",
- "http://tizen.org/privilege/internal/usermanagement"};
- privileges_t manifest_privs = {
- "http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/datasharing"};
- privileges_t real_privs_allow = {"http://tizen.org/privilege/datasharing"};
- privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
-
- const std::string pirivman_id = "sm_test_13_ADMIN_APP";
- const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
- const std::string app_id = "sm_test_13_SOME_APP";
- const std::string pkg_id = "sm_test_13_SOME_PKG";
-
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- std::string childuidstr;
- TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, false);
- TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, false);
-
- InstallRequest request,request2;
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- admin.create();
- child.create();
- child.getUidString(childuidstr);
-
- //install privacy manager for admin
- request.setAppId(pirivman_id.c_str());
- request.setPkgId(pirivman_pkg_id.c_str());
- request.setUid(admin.getUid());
- for (auto &priv: admin_required_privs)
- request.addPrivilege(priv.c_str());
- Api::install(request);
-
- //install app for child that has internet privilege
- request2.setAppId(app_id.c_str());
- request2.setPkgId(pkg_id.c_str());
- request2.setUid(child.getUid());
- for (auto &priv: manifest_privs)
- request2.addPrivilege(priv.c_str());
- Api::install(request2);
-
- check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
- manifest_privs, SM_NO_PRIVILEGES);
-
- //send info to child
- msg.uid = admin.getUid();
- msg.gid = admin.getGid();
- strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid);
-
- check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
- real_privs_allow, real_privs_deny);
- }
- if (pid == 0)//child
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(pirivman_id.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
- PolicyRequest addPolicyReq;
- //change rights
- for (auto &denypriv:real_privs_deny) {
- /*this entry will deny some privileges for user whose uid (as c string)
- was sent in message's buf field.
- That user would be denying internet for child in this case*/
- PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
- entry.setMaxLevel("Deny");
- addPolicyReq.addEntry(entry);
- }
- Api::sendPolicy(addPolicyReq);
- exit(0);
- }
-}
-
-RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
-
-RUNNER_TEST(security_manager_19_security_manager_cmd_install)
-{
- int ret;
- const int SUCCESS = 0;
- const int FAILURE = 256;
- const std::string app_id = "security_manager_10_app";
- const std::string pkg_id = "security_manager_10_pkg";
- const std::string username("sm_test_10_user_name");
- std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
- user.create();
- user.getUidString(uid_string);
- const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
- const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
- const std::string pkgopt = " --pkg=" + pkg_id;
- const std::string appopt = " --app=" + app_id;
- const std::string uidopt = " --uid=" + uid_string;
-
- mktreeSafe(path1.c_str(), 0);
- mktreeSafe(path2.c_str(), 0);
-
- const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
-
- struct operation {
- std::string command;
- int expected_result;
- };
- std::vector<struct operation> operations = {
- {"security-manager-cmd", FAILURE},//no option
- {"security-manager-cmd --blah", FAILURE},//blah option is not known
- {"security-manager-cmd --help", SUCCESS},
- {"security-manager-cmd --install", FAILURE},//no params
- {"security-manager-cmd -i", FAILURE},//no params
- {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
- {installcmd, SUCCESS},
- {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
- {installcmd + " --path " + path1 + " rw", SUCCESS},
- {installcmd + " --path " + path1, FAILURE},//no path type
- {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
- {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
- {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
- };
-
- for (auto &op : operations) {
- ret = system((op.command + " 1>/dev/null 2>&1").c_str());
- RUNNER_ASSERT_MSG(ret == op.expected_result,
- "Unexpected result for command '" << op.command <<"': "
- << ret << " Expected was: "<< op.expected_result);
- }
-}
-
-RUNNER_TEST(security_manager_20_security_manager_cmd_users)
-{
- int ret;
- const int SUCCESS = 0;
- const int FAILURE = 256;
- const std::string username("sm_test_11_user_name");
- std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
- user.create();
- user.getUidString(uid_string);
- const std::string uidopt = " --uid=" + uid_string;
-
- struct operation {
- std::string command;
- int expected_result;
- };
- std::vector<struct operation> operations = {
- {"security-manager-cmd --manage-users=remove", FAILURE},//no params
- {"security-manager-cmd -m", FAILURE},//no params
- {"security-manager-cmd -mr", FAILURE},//no uid
- {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
- {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
- {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
- {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
- {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
- {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
- {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
- {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
- };
-
- for (auto &op : operations) {
- ret = system((op.command + " 1>/dev/null 2>&1").c_str());
- RUNNER_ASSERT_MSG(ret == op.expected_result,
- "Unexpected result for command '" << op.command <<"': "
- << ret << " Expected was: "<< op.expected_result);
- }
-}
-
-void setupPrivilegeGroups(const privileges_t &privileges, const std::vector<std::string> &groups)
-{
- TestSecurityManagerDatabase db;
- for (const auto &privilege : privileges) {
- db.setup_privilege_groups(privilege, groups);
- }
-}
-
-std::vector<std::string> readPrivilegeGroups()
-{
- std::vector<std::string> groups;
- const static std::string privilegeGroupMappingPath("/usr/share/security-manager/policy/privilege-group.list");
- std::ifstream mappingFile(privilegeGroupMappingPath);
-
- RUNNER_ASSERT_MSG(mappingFile.is_open(),
- "Unable to read group mapping file " << privilegeGroupMappingPath);
-
- std::string line;
- std::regex r("^[^ #]+ +(.*)");
- while (std::getline(mappingFile, line)) {
- std::smatch m;
- if (std::regex_search(line, m, r))
- groups.push_back(m[1]);
- }
-
- return groups;
-}
-
-RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
-
-RUNNER_TEST(security_manager_22_groups_get)
-{
- setupPrivilegeGroups(SM_ALLOWED_PRIVILEGES, SM_ALLOWED_GROUPS);
-
- std::unordered_set<std::string> groups;
- auto tmp = readPrivilegeGroups();
- groups.insert(tmp.begin(), tmp.end());
- groups.insert(SM_ALLOWED_GROUPS.begin(), SM_ALLOWED_GROUPS.end());
-
- char ** c_groups;
- size_t count = 0;
-
- Api::getSecurityManagerGroups(&c_groups, &count);
- RUNNER_ASSERT_MSG(count == groups.size(), "security_manager_groups_get should set count to: "
- << groups.size() << " but count is: " << count);
-
- for (const auto &group : groups) {
- bool found = false;
- for (size_t i = 0; i < count; ++i) {
- if (group == c_groups[i]) {
- found = true;
- break;
- }
- }
- RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
- }
- security_manager_groups_free(c_groups, count);
-}
-
-
-
-RUNNER_CHILD_TEST(security_manager_53_app_has_privilege)
-{
- const char *const sm_app_id = "sm_test_53_app";
- const char *const sm_pkg_id = "sm_test_53_pkg";
- const std::string new_user_name = "sm_test_47_user_name";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- for (auto const &privilege : SM_ALLOWED_PRIVILEGES)
- requestInst.addPrivilege(privilege.c_str());
- Api::install(requestInst);
-
- for (auto const &privilege : SM_ALLOWED_PRIVILEGES) {
- int result;
- Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
- result);
- RUNNER_ASSERT_MSG(result == 1, "Application " << sm_app_id <<
- " should have access to privilege " << privilege);
- }
-
- for (auto const &privilege : SM_DENIED_PRIVILEGES) {
- int result;
- Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
- result);
- RUNNER_ASSERT_MSG(result == 0, "Application " << sm_app_id <<
- " should not have access to privilege " << privilege);
- }
-
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
- Api::uninstall(requestUninst);
-}
-
-RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
-
-RUNNER_TEST(security_manager_49a_global_user_set_install_type_global)
-{
- const char *const sm_app_id = "sm_test_49a_app_id_global";
- const char *const sm_pkg_id = "sm_test_49a_pkg_id_global";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- requestInst.setInstallType(SM_APP_INSTALL_GLOBAL);
-
- Api::install(requestInst);
-
- // Check records in the security-manager database
- check_app_after_install(sm_app_id, sm_pkg_id);
-
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
-
- Api::uninstall(requestUninst);
-
- // Check records in the security-manager database
- check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
-}
-
-RUNNER_TEST(security_manager_49b_global_user_set_install_type_local)
-{
- const char *const sm_app_id = "sm_test_49b_app_id_local";
- const char *const sm_pkg_id = "sm_test_49b_pkg_id_local";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
-
- Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
-}
-
-RUNNER_TEST(security_manager_49c_global_user_set_install_type_preloaded)
-{
- const char *const sm_app_id = "sm_test_49c_app_id_preloaded";
- const char *const sm_pkg_id = "sm_test_49c_pkg_id_preloaded";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- requestInst.setInstallType(SM_APP_INSTALL_PRELOADED);
-
- Api::install(requestInst);
-
- // Check records in the security-manager database
- check_app_after_install(sm_app_id, sm_pkg_id);
-
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
-
- Api::uninstall(requestUninst);
-
- // Check records in the security-manager database
- check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
-}
-
-RUNNER_CHILD_TEST(security_manager_49d_local_user_set_install_type_global)
-{
- int result;
- const char *const sm_app_id = "sm_test_49d_app_id_global";
- const char *const sm_pkg_id = "sm_test_49d_pkg_id_global";
- const std::string new_user_name = "sm_test_49d_user_name";
-
- TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
- testUser.create();
-
- removeTestDirs(testUser, sm_app_id, sm_pkg_id);
- createTestDirs(testUser, sm_app_id, sm_pkg_id);
-
- const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
-
- //switch user to non-root
- result = drop_root_privileges(testUser.getUid(), testUser.getGid());
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- InstallRequest requestPrivateUser;
- prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
- false);
-
- requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
- requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
- requestPrivateUser.setInstallType(SM_APP_INSTALL_GLOBAL);
-
- for (auto &privilege : SM_ALLOWED_PRIVILEGES)
- requestPrivateUser.addPrivilege(privilege.c_str());
-
- /*
- * It is possible for local user to install global application but one needs app_install privileges
- * By default only global user or root can install global apps
- */
- Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
-}
-
-RUNNER_CHILD_TEST(security_manager_49e_local_user_set_install_type_local)
-{
- int result;
- const char *const sm_app_id = "sm_test_49e_app_id_local";
- const char *const sm_pkg_id = "sm_test_49e_pkg_id_local";
- const std::string new_user_name = "sm_test_49e_user_name";
-
- TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
- testUser.create();
-
- removeTestDirs(testUser, sm_app_id, sm_pkg_id);
- createTestDirs(testUser, sm_app_id, sm_pkg_id);
-
- const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
-
- //switch user to non-root
- result = drop_root_privileges(testUser.getUid(), testUser.getGid());
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- InstallRequest requestPrivateUser;
- prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
- false);
-
- requestPrivateUser.setInstallType(SM_APP_INSTALL_LOCAL);
-
- for (auto &privilege : SM_ALLOWED_PRIVILEGES)
- requestPrivateUser.addPrivilege(privilege.c_str());
-
- Api::install(requestPrivateUser);
-
- check_app_permissions(sm_app_id, sm_pkg_id,
- uidToStr(testUser.getUid()).c_str(),
- SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
-
- //uninstall app as non-root user
- InstallRequest request;
- request.setAppId(sm_app_id);
-
- Api::uninstall(request);
-
- check_app_permissions(sm_app_id, sm_pkg_id,
- uidToStr(testUser.getUid()).c_str(),
- SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
-}
-
-RUNNER_CHILD_TEST(security_manager_49f_local_user_set_install_type_preloaded)
-{
- int result;
- const char *const sm_app_id = "sm_test_49f_app_id_preloaded";
- const char *const sm_pkg_id = "sm_test_49f_pkg_id_preloaded";
- const std::string new_user_name = "sm_test_49f_user_name";
-
- TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
- testUser.create();
-
- removeTestDirs(testUser, sm_app_id, sm_pkg_id);
- createTestDirs(testUser, sm_app_id, sm_pkg_id);
-
- const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
-
- //switch user to non-root
- result = drop_root_privileges(testUser.getUid(), testUser.getGid());
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- InstallRequest requestPrivateUser;
- prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
- false);
-
- requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
- requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
- requestPrivateUser.setInstallType(SM_APP_INSTALL_PRELOADED);
-
- for (auto &privilege : SM_ALLOWED_PRIVILEGES)
- requestPrivateUser.addPrivilege(privilege.c_str());
-
- /*
- * It is possible for local user to install preloaded application but one needs app_install privileges
- * By default only global user or root can install preloaded apps
- */
- Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
-}
-
-RUNNER_TEST(security_manager_50_app_install_constraint_check)
-{
- auto install = [](const TemporaryTestUser& user,
- const char *pkgId,
- const char *appId,
- const char *version,
- const char *author,
- enum lib_retcode expected,
- bool uninstall = true)
- {
- InstallRequest request;
- request.setAppId(appId);
- request.setPkgId(pkgId);
- request.setAppTizenVersion(version);
- request.setAuthorId(author);
- request.setUid(user.getUid());
-
- Api::install(request, expected);
-
- if(expected == SECURITY_MANAGER_SUCCESS) {
- // TODO add verification once check_app_after_install() supports uid
- // check_app_after_install(appId, pkgId);
- if(uninstall)
- Api::uninstall(request);
- }
- };
-
- std::vector<TemporaryTestUser> users = {
- {"sm_test_50_user_name_0", GUM_USERTYPE_NORMAL, false},
- {"sm_test_50_user_name_1", GUM_USERTYPE_NORMAL, false}
- };
-
- for(auto& gu : users)
- gu.create();
-
- const char *const pkgId[] = {"sm_test_50_pkg_id_0", "sm_test_50_pkg_id_1"};
- const char *const appId[] = {"sm_test_50_app_id_0", "sm_test_50_app_id_1"};
- const char *const version[] = {"sm_test_50_version_0", "sm_test_50_version_1"};
- const char *const author[] = {"sm_test_50_author_0", "sm_test_50_author_1"};
-
- // uid_0, pkg_0, app_0, version_0, author_0
- install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
-
- // uid_1, pkg_0, app_0, version_0, author_0 -> ok (different uid)
- install(users[1], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS);
- // uid_1, pkg_0, app_0, version_0, author_1 -> fail (author of app_0 must be the same)
- install(users[1], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_1, pkg_0, app_0, version_1, author_0 -> fail (version of app_0 must be the same)
- install(users[1], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_1, pkg_1, app_0, version_0, author_0 -> fail (pkg of app_0 must be the same)
- install(users[1], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_0, author_0 -> ok (the same app again)
- install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
- // uid_0, pkg_1, app_0, version_0, author_0 -> fail (app_name + uid must be unique)
- install(users[0], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_1, author_0 -> fail (app_name + uid must be unique)
- install(users[0], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_0, author_1 -> fail (app_name + uid must be unique)
- install(users[0], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
-}
int main(int argc, char *argv[])
{
* limitations under the License.
*/
+#include <cstdlib>
+#include <attr/xattr.h>
+#include <fstream>
+#include <regex>
+#include <string>
+#include <unordered_set>
+
#include <sys/capability.h>
#include <sys/smack.h>
#include <sys/types.h>
#include <unistd.h>
-#include <attr/xattr.h>
-#include <cstdlib>
+#include <cynara-admin.h>
+
+#include <cynara_test_admin.h>
#include <dpl/test/test_runner.h>
#include <memory>
#include <scoped_label.h>
#include <sm_commons.h>
#include <sm_request.h>
#include <synchronization_pipe.h>
+#include <temp_test_user.h>
#include <tests_common.h>
#include <tzplatform.h>
#include <uds.h>
check_app_after_uninstall(app_id, pkg_id, true);
}
+
+RUNNER_TEST(security_manager_50_app_install_constraint_check)
+{
+ auto install = [](const TemporaryTestUser& user,
+ const char *pkgId,
+ const char *appId,
+ const char *version,
+ const char *author,
+ enum lib_retcode expected,
+ bool uninstall = true)
+ {
+ InstallRequest request;
+ request.setAppId(appId);
+ request.setPkgId(pkgId);
+ request.setAppTizenVersion(version);
+ request.setAuthorId(author);
+ request.setUid(user.getUid());
+
+ Api::install(request, expected);
+
+ if(expected == SECURITY_MANAGER_SUCCESS) {
+ // TODO add verification once check_app_after_install() supports uid
+ // check_app_after_install(appId, pkgId);
+ if(uninstall)
+ Api::uninstall(request);
+ }
+ };
+
+ std::vector<TemporaryTestUser> users = {
+ {"sm_test_50_user_name_0", GUM_USERTYPE_NORMAL, false},
+ {"sm_test_50_user_name_1", GUM_USERTYPE_NORMAL, false}
+ };
+
+ for(auto& gu : users)
+ gu.create();
+
+ const char *const pkgId[] = {"sm_test_50_pkg_id_0", "sm_test_50_pkg_id_1"};
+ const char *const appId[] = {"sm_test_50_app_id_0", "sm_test_50_app_id_1"};
+ const char *const version[] = {"sm_test_50_version_0", "sm_test_50_version_1"};
+ const char *const author[] = {"sm_test_50_author_0", "sm_test_50_author_1"};
+
+ // uid_0, pkg_0, app_0, version_0, author_0
+ install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
+
+ // uid_1, pkg_0, app_0, version_0, author_0 -> ok (different uid)
+ install(users[1], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS);
+ // uid_1, pkg_0, app_0, version_0, author_1 -> fail (author of app_0 must be the same)
+ install(users[1], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_0, app_0, version_1, author_0 -> fail (version of app_0 must be the same)
+ install(users[1], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_1, app_0, version_0, author_0 -> fail (pkg of app_0 must be the same)
+ install(users[1], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_0, author_0 -> ok (the same app again)
+ install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
+ // uid_0, pkg_1, app_0, version_0, author_0 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_1, author_0 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_0, author_1 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
+
+RUNNER_CHILD_TEST(security_manager_53_app_has_privilege)
+{
+ const char *const sm_app_id = "sm_test_53_app";
+ const char *const sm_pkg_id = "sm_test_53_pkg";
+ const std::string new_user_name = "sm_test_47_user_name";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ for (auto const &privilege : SM_ALLOWED_PRIVILEGES)
+ requestInst.addPrivilege(privilege.c_str());
+ Api::install(requestInst);
+
+ for (auto const &privilege : SM_ALLOWED_PRIVILEGES) {
+ int result;
+ Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
+ result);
+ RUNNER_ASSERT_MSG(result == 1, "Application " << sm_app_id <<
+ " should have access to privilege " << privilege);
+ }
+
+ for (auto const &privilege : SM_DENIED_PRIVILEGES) {
+ int result;
+ Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
+ result);
+ RUNNER_ASSERT_MSG(result == 0, "Application " << sm_app_id <<
+ " should not have access to privilege " << privilege);
+ }
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_TEST_GROUP_INIT(SECRUTIY_MANAGER_POLICY)
+
+RUNNER_TEST(security_manager_18_user_cynara_policy)
+{
+ const char *const MAIN_BUCKET = "MAIN";
+ const char *const MANIFESTS_BUCKET = "MANIFESTS";
+ const char *const ADMIN_BUCKET = "ADMIN";
+ const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
+ const std::string username("sm_test_10_user_cynara_policy");
+ CynaraTestAdmin::Admin admin;
+ std::string uid_string;
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+ user.getUidString(uid_string);
+
+ CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
+ nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
+ admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
+
+ user.remove();
+ CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
+
+ admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+}
+
+RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
+{
+ const int BUFFER_SIZE = 128;
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ char buf[BUFFER_SIZE];
+ } msg;
+
+ privileges_t admin_required_privs = {
+ "http://tizen.org/privilege/notexist",
+ "http://tizen.org/privilege/internal/usermanagement"};
+ privileges_t manifest_privs = {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/datasharing"};
+ privileges_t real_privs_allow = {"http://tizen.org/privilege/datasharing"};
+ privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
+
+ const std::string pirivman_id = "sm_test_13_ADMIN_APP";
+ const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
+ const std::string app_id = "sm_test_13_SOME_APP";
+ const std::string pkg_id = "sm_test_13_SOME_PKG";
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ std::string childuidstr;
+ TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, false);
+ TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, false);
+
+ InstallRequest request,request2;
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ admin.create();
+ child.create();
+ child.getUidString(childuidstr);
+
+ //install privacy manager for admin
+ request.setAppId(pirivman_id.c_str());
+ request.setPkgId(pirivman_pkg_id.c_str());
+ request.setUid(admin.getUid());
+ for (auto &priv: admin_required_privs)
+ request.addPrivilege(priv.c_str());
+ Api::install(request);
+
+ //install app for child that has internet privilege
+ request2.setAppId(app_id.c_str());
+ request2.setPkgId(pkg_id.c_str());
+ request2.setUid(child.getUid());
+ for (auto &priv: manifest_privs)
+ request2.addPrivilege(priv.c_str());
+ Api::install(request2);
+
+ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+ manifest_privs, SM_NO_PRIVILEGES);
+
+ //send info to child
+ msg.uid = admin.getUid();
+ msg.gid = admin.getGid();
+ strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ waitPid(pid);
+
+ check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+ real_privs_allow, real_privs_deny);
+ }
+ if (pid == 0)//child
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(pirivman_id.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ PolicyRequest addPolicyReq;
+ //change rights
+ for (auto &denypriv:real_privs_deny) {
+ /*this entry will deny some privileges for user whose uid (as c string)
+ was sent in message's buf field.
+ That user would be denying internet for child in this case*/
+ PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
+ entry.setMaxLevel("Deny");
+ addPolicyReq.addEntry(entry);
+ }
+ Api::sendPolicy(addPolicyReq);
+ exit(0);
+ }
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
+
+RUNNER_TEST(security_manager_19_security_manager_cmd_install)
+{
+ int ret;
+ const int SUCCESS = 0;
+ const int FAILURE = 256;
+ const std::string app_id = "security_manager_10_app";
+ const std::string pkg_id = "security_manager_10_pkg";
+ const std::string username("sm_test_10_user_name");
+ std::string uid_string;
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+ user.getUidString(uid_string);
+ const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
+ const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
+ const std::string pkgopt = " --pkg=" + pkg_id;
+ const std::string appopt = " --app=" + app_id;
+ const std::string uidopt = " --uid=" + uid_string;
+
+ mktreeSafe(path1.c_str(), 0);
+ mktreeSafe(path2.c_str(), 0);
+
+ const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
+
+ struct operation {
+ std::string command;
+ int expected_result;
+ };
+ std::vector<struct operation> operations = {
+ {"security-manager-cmd", FAILURE},//no option
+ {"security-manager-cmd --blah", FAILURE},//blah option is not known
+ {"security-manager-cmd --help", SUCCESS},
+ {"security-manager-cmd --install", FAILURE},//no params
+ {"security-manager-cmd -i", FAILURE},//no params
+ {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
+ {installcmd, SUCCESS},
+ {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
+ {installcmd + " --path " + path1 + " rw", SUCCESS},
+ {installcmd + " --path " + path1, FAILURE},//no path type
+ {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
+ {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
+ {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
+ };
+
+ for (auto &op : operations) {
+ ret = system((op.command + " 1>/dev/null 2>&1").c_str());
+ RUNNER_ASSERT_MSG(ret == op.expected_result,
+ "Unexpected result for command '" << op.command <<"': "
+ << ret << " Expected was: "<< op.expected_result);
+ }
+}
+
+RUNNER_TEST(security_manager_20_security_manager_cmd_users)
+{
+ int ret;
+ const int SUCCESS = 0;
+ const int FAILURE = 256;
+ const std::string username("sm_test_11_user_name");
+ std::string uid_string;
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+ user.getUidString(uid_string);
+ const std::string uidopt = " --uid=" + uid_string;
+
+ struct operation {
+ std::string command;
+ int expected_result;
+ };
+ std::vector<struct operation> operations = {
+ {"security-manager-cmd --manage-users=remove", FAILURE},//no params
+ {"security-manager-cmd -m", FAILURE},//no params
+ {"security-manager-cmd -mr", FAILURE},//no uid
+ {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
+ {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
+ {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
+ {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
+ {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
+ {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
+ {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
+ {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
+ };
+
+ for (auto &op : operations) {
+ ret = system((op.command + " 1>/dev/null 2>&1").c_str());
+ RUNNER_ASSERT_MSG(ret == op.expected_result,
+ "Unexpected result for command '" << op.command <<"': "
+ << ret << " Expected was: "<< op.expected_result);
+ }
+}
+
+void setupPrivilegeGroups(const privileges_t &privileges, const std::vector<std::string> &groups)
+{
+ TestSecurityManagerDatabase db;
+ for (const auto &privilege : privileges) {
+ db.setup_privilege_groups(privilege, groups);
+ }
+}
+
+std::vector<std::string> readPrivilegeGroups()
+{
+ std::vector<std::string> groups;
+ const static std::string privilegeGroupMappingPath("/usr/share/security-manager/policy/privilege-group.list");
+ std::ifstream mappingFile(privilegeGroupMappingPath);
+
+ RUNNER_ASSERT_MSG(mappingFile.is_open(),
+ "Unable to read group mapping file " << privilegeGroupMappingPath);
+
+ std::string line;
+ std::regex r("^[^ #]+ +(.*)");
+ while (std::getline(mappingFile, line)) {
+ std::smatch m;
+ if (std::regex_search(line, m, r))
+ groups.push_back(m[1]);
+ }
+
+ return groups;
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
+
+RUNNER_TEST(security_manager_22_groups_get)
+{
+ setupPrivilegeGroups(SM_ALLOWED_PRIVILEGES, SM_ALLOWED_GROUPS);
+
+ std::unordered_set<std::string> groups;
+ auto tmp = readPrivilegeGroups();
+ groups.insert(tmp.begin(), tmp.end());
+ groups.insert(SM_ALLOWED_GROUPS.begin(), SM_ALLOWED_GROUPS.end());
+
+ char ** c_groups;
+ size_t count = 0;
+
+ Api::getSecurityManagerGroups(&c_groups, &count);
+ RUNNER_ASSERT_MSG(count == groups.size(), "security_manager_groups_get should set count to: "
+ << groups.size() << " but count is: " << count);
+
+ for (const auto &group : groups) {
+ bool found = false;
+ for (size_t i = 0; i < count; ++i) {
+ if (group == c_groups[i]) {
+ found = true;
+ break;
+ }
+ }
+ RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
+ }
+ security_manager_groups_free(c_groups, count);
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
+
+RUNNER_TEST(security_manager_49a_global_user_set_install_type_global)
+{
+ const char *const sm_app_id = "sm_test_49a_app_id_global";
+ const char *const sm_pkg_id = "sm_test_49a_pkg_id_global";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_GLOBAL);
+
+ Api::install(requestInst);
+
+ // Check records in the security-manager database
+ check_app_after_install(sm_app_id, sm_pkg_id);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+
+ // Check records in the security-manager database
+ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+}
+
+RUNNER_TEST(security_manager_49b_global_user_set_install_type_local)
+{
+ const char *const sm_app_id = "sm_test_49b_app_id_local";
+ const char *const sm_pkg_id = "sm_test_49b_pkg_id_local";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
+
+ Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
+}
+
+RUNNER_TEST(security_manager_49c_global_user_set_install_type_preloaded)
+{
+ const char *const sm_app_id = "sm_test_49c_app_id_preloaded";
+ const char *const sm_pkg_id = "sm_test_49c_pkg_id_preloaded";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_PRELOADED);
+
+ Api::install(requestInst);
+
+ // Check records in the security-manager database
+ check_app_after_install(sm_app_id, sm_pkg_id);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+
+ // Check records in the security-manager database
+ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+}
+
+RUNNER_CHILD_TEST(security_manager_49d_local_user_set_install_type_global)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49d_app_id_global";
+ const char *const sm_pkg_id = "sm_test_49d_pkg_id_global";
+ const std::string new_user_name = "sm_test_49d_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_GLOBAL);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ /*
+ * It is possible for local user to install global application but one needs app_install privileges
+ * By default only global user or root can install global apps
+ */
+ Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+RUNNER_CHILD_TEST(security_manager_49e_local_user_set_install_type_local)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49e_app_id_local";
+ const char *const sm_pkg_id = "sm_test_49e_pkg_id_local";
+ const std::string new_user_name = "sm_test_49e_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_LOCAL);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ Api::install(requestPrivateUser);
+
+ check_app_permissions(sm_app_id, sm_pkg_id,
+ uidToStr(testUser.getUid()).c_str(),
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+
+ //uninstall app as non-root user
+ InstallRequest request;
+ request.setAppId(sm_app_id);
+
+ Api::uninstall(request);
+
+ check_app_permissions(sm_app_id, sm_pkg_id,
+ uidToStr(testUser.getUid()).c_str(),
+ SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+}
+
+RUNNER_CHILD_TEST(security_manager_49f_local_user_set_install_type_preloaded)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49f_app_id_preloaded";
+ const char *const sm_pkg_id = "sm_test_49f_pkg_id_preloaded";
+ const std::string new_user_name = "sm_test_49f_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_PRELOADED);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ /*
+ * It is possible for local user to install preloaded application but one needs app_install privileges
+ * By default only global user or root can install preloaded apps
+ */
+ Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}