* limitations under the License.
*/
+// cstdlibg has to be included before attr/xattr
#include <cstdlib>
#include <attr/xattr.h>
#include <fstream>
+#include <memory>
#include <regex>
#include <string>
-#include <unordered_set>
-
#include <sys/capability.h>
#include <sys/smack.h>
#include <sys/types.h>
#include <cynara-admin.h>
+#include <app_install_helper.h>
#include <cynara_test_admin.h>
#include <dpl/test/test_runner.h>
-#include <memory>
+#include <message_pipe.h>
+#include <policy_configuration.h>
+#include <scoped_installer.h>
#include <scoped_label.h>
#include <service_manager.h>
#include <sm_api.h>
using namespace SecurityManagerTest;
+namespace {
+std::vector<std::string> merge(const std::vector<std::string> &one, const std::vector<std::string> &two) {
+ std::vector<std::string> sum;
+ sum.reserve(one.size() + two.size());
+ sum.insert(sum.end(), one.begin(), one.end());
+ sum.insert(sum.end(), two.begin(), two.end());
+ return sum;
+}
+}
+
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
{
- const char *const sm_app_id = "sm_test_01a_app_id_double";
- const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
-
- Api::install(requestInst);
- Api::install(requestInst);
-
- // Check records in the security-manager database
- check_app_after_install(sm_app_id, sm_pkg_id);
-
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
-
- Api::uninstall(requestUninst);
- Api::uninstall(requestUninst);
-
- // Check records in the security-manager database
- check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+ AppInstallHelper app("sm_test_01a_app");
+ {
+ ScopedInstaller appInstall(app);
+ // FIXME - whitebox - db
+ check_app_after_install(app.getAppId(), app.getPkgId());
+ {
+ ScopedInstaller appInstall2(app);
+ // FIXME - whitebox - db
+ check_app_after_install(app.getAppId(), app.getPkgId());
+ }
+ // FIXME - whitebox - db
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+ }
}
RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
{
- const char *const sm_app_id = "sm_test_01b_app";
- const char *const sm_pkg_id = "sm_test_01b_pkg";
- const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ AppInstallHelper app("sm_test_01b");
+ {
+ ScopedInstaller appInstall(app);
- Api::install(requestInst);
+ InstallRequest requestInst2;
+ requestInst2.setAppId(app.getAppId());
+ requestInst2.setPkgId(app.getPkgId() + "_wrong");
- InstallRequest requestInst2;
- requestInst2.setAppId(sm_app_id);
- requestInst2.setPkgId(sm_pkg_id_wrong);
+ Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
- Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // FIXME - whitebox - db
+ check_app_after_install(app.getAppId(), app.getPkgId());
+ }
+ // FIXME - whitebox - db
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+}
+RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
+{
+ AppInstallHelper app("sm_test_01c");
+ ScopedInstaller appInstall(app);
- /* Check records in the security-manager database */
- check_app_after_install(sm_app_id, sm_pkg_id);
+ // FIXME - whitebox - db
+ check_app_after_install(app.getAppId(), app.getPkgId());
InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ requestUninst.setAppId(app.getAppId());
+ requestUninst.setPkgId(app.getPkgId() + "_ignored"); // pkg_id param is ignored in uninstall request
Api::uninstall(requestUninst);
-
- /* Check records in the security-manager database */
- check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+ // FIXME - whitebox - db
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+ // ScopedInstaller destructor (app second uninstallation) won't have any effect
}
-RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
+/*
+ * This test uses files installed with security-tests package
+ */
+RUNNER_TEST(security_manager_01d_app_install_complicated_dir_tree)
{
- const char * const sm_app_id = "SM_TEST_01c_APPID";
- const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
- const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ const std::string appId = "sm_test_01d_app_id_full";
+ const std::string pkgId = "sm_test_01d_pkg_id_full";
- Api::install(requestInst);
+ const std::string rootDir = TzPlatformConfig::globalAppDir() + "/" + pkgId + "/";
+ const std::string privateDir = rootDir + "app_dir/";
+ const std::string privateRODir = rootDir + "app_dir_ro/";
+ const std::string publicRODir = rootDir + "app_dir_public_ro/";
+ const std::string sharedRODir = rootDir + "app_dir_rw_others_ro/";
- /* Check records in the security-manager database */
- check_app_after_install(sm_app_id, sm_pkg_id);
+ int result = nftw(rootDir.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << rootDir);
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
- requestUninst.setPkgId(sm_pkg_id_wrong);
+ InstallRequest requestInst;
+ requestInst.setAppId(appId);
+ requestInst.setPkgId(pkgId);
+ requestInst.addPath(privateDir, SECURITY_MANAGER_PATH_RW);
+ requestInst.addPath(privateRODir, SECURITY_MANAGER_PATH_RO);
+ requestInst.addPath(publicRODir, SECURITY_MANAGER_PATH_PUBLIC_RO);
+ requestInst.addPath(sharedRODir, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
+ Api::install(requestInst);
- Api::uninstall(requestUninst);
+ std::unique_ptr<InstallRequest, std::function<void(InstallRequest*)>> appCleanup(&requestInst,
+ [](InstallRequest *req) {
+ Api::uninstall(*req);
+ });
- check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+ check_path(privateDir, generatePathRWLabel(pkgId));
+ check_path(privateRODir, generatePathROLabel(pkgId), false);
+ check_path(publicRODir, getPublicPathLabel());
+ check_path(sharedRODir, generatePathSharedROLabel(pkgId));
}
RUNNER_TEST(security_manager_02_app_install_uninstall_full)
{
- std::string SM_RW_PATH = genRWPath(2);
- std::string SM_RO_PATH = genROPath(2);
- std::string SM_PUBLIC_RO_PATH = genPublicROPath(2);
-
- const char *const sm_app_id = "sm_test_02_app_id_full";
- const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
-
- prepare_app_env(2);
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
- requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
- requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
- requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
- requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
-
- Api::install(requestInst);
+ const privileges_t allowedPrivs = {
+ "http://tizen.org/privilege/display",
+ "http://tizen.org/privilege/nfc"
+ };
- /* Check records in the security-manager database */
- check_app_after_install(sm_app_id, sm_pkg_id,
- SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
+ const privileges_t someDeniedPrivs = {
+ "http://tizen.org/privilege/bluetooth",
+ "http://tizen.org/privilege/power"
+ };
- /* TODO: add parameters to this function */
- check_app_path_after_install(2, sm_pkg_id, false);
+ AppInstallHelper app("sm_test_02");
+ app.createInstallDir();
+ app.createPrivateDir();
+ app.createPrivateRODir();
+ app.createPublicDir();
+ app.createSharedRODir();
+ app.addPrivileges(allowedPrivs);
+ {
+ ScopedInstaller appInstall(app);
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ // FIXME - whitebox - db, groups
+ check_app_after_install(app.getAppId(), app.getPkgId(),
+ app.getPrivileges(), someDeniedPrivs, SM_ALLOWED_GROUPS);
- Api::uninstall(requestUninst);
+ check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
+ check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
+ check_path(app.getPublicDir(), getPublicPathLabel());
+ check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
+ }
- /* Check records in the security-manager database,
- * all previously allowed privileges should be removed */
- check_app_after_uninstall(sm_app_id, sm_pkg_id,
- SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
+ // FIXME - whitebox - db
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(),
+ app.getPrivileges(), TestSecurityManagerDatabase::REMOVED);
}
RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
{
- const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
- const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
- const char *const socketLabel = "not_expected_label";
- std::string expected_label = generateProcessLabel(app_id, pkg_id);
- std::string expected_socket_label = socketLabel;
- char *label = nullptr;
- CStringPtr labelPtr;
- int result;
+ std::string expectedSockLabel = "labelExpectedOnlyFromSocket";
- uninstall_app(app_id, pkg_id, true);
- install_app(app_id, pkg_id);
+ AppInstallHelper app("sm_test_03a");
+ std::string expectedProcLabel = generateProcessLabel(app.getAppId(), app.getPkgId());
- const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03.socket");
+ const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03a.socket");
int sock = UDSHelpers::createServer(&sockaddr);
SockUniquePtr sockPtr(&sock);
- //Set socket label to something different than expecedLabel
- result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, socketLabel);
+ //Set socket label to something different than expeced process label
+ int result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, expectedSockLabel.c_str());
RUNNER_ASSERT_ERRNO_MSG(result == 0,
"Can't set socket label. Result: " << result);
- result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, socketLabel);
+ result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, expectedSockLabel.c_str());
RUNNER_ASSERT_ERRNO_MSG(result == 0,
"Can't set socket label. Result: " << result);
+ ScopedInstaller appInstall(app);
- SynchronizationPipe pipe;
pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
+ if (pid == 0) { // child
+ Api::setProcessLabel(app.getAppId());
- if (pid != 0) { // parent process
- pipe.claimParentEp();
- Api::setProcessLabel(app_id);
-
+ char *label = nullptr;
+ CStringPtr labelPtr;
result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
labelPtr.reset(label);
- result = expected_socket_label.compare(label);
+ result = expectedSockLabel.compare(label);
RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- expected_label << " Actual: " << label);
+ expectedProcLabel << " Actual: " << label);
result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
labelPtr.reset(label);
- result = expected_socket_label.compare(label);
+ result = expectedSockLabel.compare(label);
RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- expected_label << " Actual: " << label);
+ expectedProcLabel << " Actual: " << label);
result = smack_new_label_from_self(&label);
RUNNER_ASSERT_MSG(result >= 0,
" Process label is not set");
labelPtr.reset(label);
- result = expected_label.compare(label);
+ result = expectedProcLabel.compare(label);
RUNNER_ASSERT_MSG(result == 0,
- " Process label is incorrect. Expected: \"" << expected_label <<
+ " Process label is incorrect. Expected: \"" << expectedProcLabel <<
"\" Actual: \"" << label << "\"");
- pipe.post();
+ } else { // parent
waitPid(pid);
- } else { // child process
- pipe.claimChildEp();
- pipe.wait();
- uninstall_app(app_id, pkg_id, true);
- exit(0);
}
}
-RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
-{
- const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
- const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
-
- uninstall_app(app_id, pkg_id, true);
- install_app(app_id, pkg_id);
-
- {
- ScopedProcessLabel keepLabel;
- Api::setProcessLabel(app_id);
- }
-
- uninstall_app(app_id, pkg_id, true);
-}
-
-static void install_and_check(const char *const sm_app_id,
- const char *const sm_pkg_id,
- const TemporaryTestUser& user,
- const std::string &appDir,
- bool requestUid)
-{
- InstallRequest requestPrivate;
-
- //install app for non-root user
- //should fail (users may only register folders inside their home)
- prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
- requestUid ? user.getUid() : 0);
-
- Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
-
- InstallRequest requestPrivateUser;
-
- //install app for non-root user
- //should succeed - this time i register folder inside user's home dir
- prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_RW, appDir.c_str(),
- requestUid ? user.getUid() : 0);
-
- for (auto &privilege : SM_ALLOWED_PRIVILEGES)
- requestPrivateUser.addPrivilege(privilege.c_str());
-
- Api::install(requestPrivateUser);
-
- check_app_permissions(sm_app_id, sm_pkg_id,
- user.getUidString().c_str(),
- SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
-}
-
RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
{
- int result;
- const char *const sm_app_id = "sm_test_04a_app_id_uid";
- const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
- const std::string new_user_name = "sm_test_04a_user_name";
+ const std::vector<std::string> allowedPrivs = {
+ "http://tizen.org/privilege/bluetooth",
+ "http://tizen.org/privilege/power"
+ };
+ const std::vector<std::string> someDeniedPrivs = {
+ "http://tizen.org/privilege/display",
+ "http://tizen.org/privilege/nfc"
+ };
- TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser testUser("sm_test_04a_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- removeTestDirs(testUser, sm_app_id, sm_pkg_id);
- createTestDirs(testUser, sm_app_id, sm_pkg_id);
-
- const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
-
- //switch user to non-root
- result = drop_root_privileges(testUser.getUid(), testUser.getGid());
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ AppInstallHelper app("sm_test_04a", testUser.getUid());
+ app.addPrivileges(allowedPrivs);
- install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
-
- //uninstall app as non-root user
- InstallRequest request;
- request.setAppId(sm_app_id);
-
- Api::uninstall(request);
-
- check_app_permissions(sm_app_id, sm_pkg_id,
- testUser.getUidString().c_str(),
- SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
+ {
+ ScopedInstaller appInstall(app, false);
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
+ allowedPrivs, someDeniedPrivs);
+ }
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
+ {}, merge(allowedPrivs, someDeniedPrivs));
}
-RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
-{
- int result;
- const char *const sm_app_id = "sm_test_04b_app_id_uid";
- const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
- const std::string new_user_name = "sm_test_04b_user_name";
+RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) {
+ const std::vector<std::string> allowedPrivs = {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/led"
+ };
+ const std::vector<std::string> someDeniedPrivs = {
+ "http://tizen.org/privilege/location",
+ "http://tizen.org/privilege/notification"
+ };
- TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser testUser("sm_test_04b_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- removeTestDirs(testUser, sm_app_id, sm_pkg_id);
- createTestDirs(testUser, sm_app_id, sm_pkg_id);
-
- install_and_check(sm_app_id, sm_pkg_id, testUser,
- TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id), true);
-
- //switch user to non-root - root may not uninstall apps for specified users
- result = drop_root_privileges(testUser.getUid(), testUser.getGid());
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ AppInstallHelper app("sm_test_04b", testUser.getUid());
+ app.addPrivileges(allowedPrivs);
- //uninstall app as non-root user
- InstallRequest request;
- request.setAppId(sm_app_id);
-
- Api::uninstall(request);
+ {
+ ScopedInstaller appInstall(app);
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
+ allowedPrivs, someDeniedPrivs);
- check_app_permissions(sm_app_id, sm_pkg_id,
- testUser.getUidString().c_str(),
- SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
+ }
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
+ {}, merge(allowedPrivs, someDeniedPrivs));
}
RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
"capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
}
-RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
+RUNNER_TEST(security_manager_06_install_app_offline)
{
- const char *const app_id = "sm_test_06_app_id_install_app_offline";
- const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
-
- // Uninstall app on-line, off-line mode doesn't support it
- uninstall_app(app_id, pkg_id, true);
-
ServiceManager("security-manager.service").stopService();
ServiceManager serviceManager("security-manager.socket");
serviceManager.stopService();
- install_app(app_id, pkg_id);
-
+ AppInstallHelper app("sm_test_06");
+ ScopedInstaller appInstall(app);
+ // TODO - check if app is installed properly
+ // start service before uninstall, offline mode doesn't support uninstall
serviceManager.startService();
-
- uninstall_app(app_id, pkg_id, true);
+ appInstall.uninstallApp();
+ // TODO - check if app is uninstalled properly
}
-RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
+RUNNER_TEST(security_manager_07a_user_add_app_install)
{
- const char *const sm_app_id = "sm_test_07_app_id_user";
- const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
- const std::string new_user_name = "sm_test_07_user_name";
-
- TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
- test_user.create();
- std::string uid_string = test_user.getUidString();
+ const std::vector<std::string> allowedPrivs = {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/led"
+ };
+ const std::vector<std::string> someDeniedPrivs = {
+ "http://tizen.org/privilege/location",
+ "http://tizen.org/privilege/notification"
+ };
- removeTestDirs(test_user, sm_app_id, sm_pkg_id);
- createTestDirs(test_user, sm_app_id, sm_pkg_id);
+ TemporaryTestUser testUser("sm_test_07a_user_name", GUM_USERTYPE_NORMAL);
+ testUser.create();
- install_app(sm_app_id, sm_pkg_id, test_user.getUid());
+ AppInstallHelper app("sm_test_07a", testUser.getUid());
+ app.addPrivileges(allowedPrivs);
- check_app_after_install(sm_app_id, sm_pkg_id);
+ InstallRequest req;
+ req.setAppId(app.getAppId());
+ req.setPkgId(app.getPkgId());
+ req.setUid(app.getUID());
+ for (const auto &priv: app.getPrivileges()) {
+ req.addPrivilege(priv);
+ }
+ Api::install(req);
- test_user.remove();
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
+ allowedPrivs, someDeniedPrivs);
- check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+ testUser.remove();
- check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
+ {}, merge(allowedPrivs, someDeniedPrivs));
+ // TODO - check if app is uninstalled
}
-RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
+RUNNER_TEST(security_manager_07b_user_add_offline)
{
- UserRequest addUserRequest;
-
- const char *const sm_app_id = "sm_test_08_app_id_user";
- const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
- const std::string new_user_name = "sm_test_08_user_name";
-
- // gumd user add
- TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
- test_user.create();
- std::string uid_string = test_user.getUidString();
-
- removeTestDirs(test_user, sm_app_id, sm_pkg_id);
- createTestDirs(test_user, sm_app_id, sm_pkg_id);
-
- addUserRequest.setUid(test_user.getUid());
- addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
-
- //sm user add
- Api::addUser(addUserRequest);
-
- install_app(sm_app_id, sm_pkg_id, test_user.getUid());
-
- check_app_after_install(sm_app_id, sm_pkg_id);
+ ServiceManager("security-manager.service").stopService();
- test_user.remove();
+ ServiceManager serviceManager("security-manager.socket");
+ serviceManager.stopService();
- UserRequest deleteUserRequest;
- deleteUserRequest.setUid(test_user.getUid());
+ TemporaryTestUser testUser("sm_test_07b_user_name", GUM_USERTYPE_NORMAL, true);
+ testUser.create();
- Api::deleteUser(deleteUserRequest);
+ AppInstallHelper app("sm_test_07b", testUser.getUid());
+ ScopedInstaller appInstall(app);
- check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+ // FIXME - whitebox - db
+ check_app_after_install(app.getAppId(), app.getPkgId());
- check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
+ serviceManager.startService();
+ testUser.remove();
+ // FIXME - whitebox - db
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), true);
}
-RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
+RUNNER_TEST(security_manager_08_user_double_add_double_remove)
{
- const char *const app_id = "security_manager_09_add_user_offline_app";
- const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
- const std::string new_user_name("sm_test_09_user_name");
-
- ServiceManager("security-manager.service").stopService();
-
- ServiceManager serviceManager("security-manager.socket");
- serviceManager.stopService();
-
- TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
- test_user.create();
-
- removeTestDirs(test_user, app_id, pkg_id);
- createTestDirs(test_user, app_id, pkg_id);
+ std::vector<std::string> somePrivs = {
+ "http://tizen.org/privilege/internet", "http://tizen.org/privilege/led",
+ "http://tizen.org/privilege/location", "http://tizen.org/privilege/notification"
+ };
+ // gumd
+ TemporaryTestUser testUser("sm_test_08_user_name", GUM_USERTYPE_NORMAL);
+ testUser.create();
- install_app(app_id, pkg_id, test_user.getUid());
+ // security-manager
+ UserRequest addUserRequest;
+ addUserRequest.setUid(testUser.getUid());
+ addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
+ Api::addUser(addUserRequest);
- check_app_after_install(app_id, pkg_id);
+ AppInstallHelper app("sm_test_08", testUser.getUid());
+ ScopedInstaller appInstall(app);
- serviceManager.startService();
+ // FIXME - whitebox - db
+ check_app_after_install(app.getAppId(), app.getPkgId());
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(), {}, somePrivs);
- test_user.remove();
+ // gumd
+ testUser.remove();
+
+ // FIXME - whitebox - db
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), true);
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(), {}, somePrivs);
- check_app_after_uninstall(app_id, pkg_id, true);
+ // security-manager
+ UserRequest deleteUserRequest;
+ deleteUserRequest.setUid(testUser.getUid());
+ Api::deleteUser(deleteUserRequest);
}
-RUNNER_TEST(security_manager_50_app_install_constraint_check)
+RUNNER_TEST(security_manager_09_app_install_constraint_check)
{
auto install = [](const TemporaryTestUser& user,
const char *pkgId,
const char *appId,
const char *version,
const char *author,
+ bool isHybrid,
enum lib_retcode expected,
bool uninstall = true)
{
request.setAppTizenVersion(version);
request.setAuthorId(author);
request.setUid(user.getUid());
-
+ if (isHybrid)
+ request.setHybrid();
Api::install(request, expected);
- if(expected == SECURITY_MANAGER_SUCCESS) {
- // TODO add verification once check_app_after_install() supports uid
- // check_app_after_install(appId, pkgId);
- if(uninstall)
- Api::uninstall(request);
+ if(expected == SECURITY_MANAGER_SUCCESS && uninstall) {
+ Api::uninstall(request);
}
};
std::vector<TemporaryTestUser> users = {
- {"sm_test_50_user_name_0", GUM_USERTYPE_NORMAL, false},
- {"sm_test_50_user_name_1", GUM_USERTYPE_NORMAL, false}
+ {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
+ {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
};
for(auto& gu : users)
gu.create();
- const char *const pkgId[] = {"sm_test_50_pkg_id_0", "sm_test_50_pkg_id_1"};
- const char *const appId[] = {"sm_test_50_app_id_0", "sm_test_50_app_id_1"};
- const char *const version[] = {"sm_test_50_version_0", "sm_test_50_version_1"};
- const char *const author[] = {"sm_test_50_author_0", "sm_test_50_author_1"};
-
- // uid_0, pkg_0, app_0, version_0, author_0
- install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
-
- // uid_1, pkg_0, app_0, version_0, author_0 -> ok (different uid)
- install(users[1], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS);
- // uid_1, pkg_0, app_0, version_0, author_1 -> fail (author of app_0 must be the same)
- install(users[1], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_1, pkg_0, app_0, version_1, author_0 -> fail (version of app_0 must be the same)
- install(users[1], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_1, pkg_1, app_0, version_0, author_0 -> fail (pkg of app_0 must be the same)
- install(users[1], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_0, author_0 -> ok (the same app again)
- install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
- // uid_0, pkg_1, app_0, version_0, author_0 -> fail (app_name + uid must be unique)
- install(users[0], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_1, author_0 -> fail (app_name + uid must be unique)
- install(users[0], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // uid_0, pkg_0, app_0, version_0, author_1 -> fail (app_name + uid must be unique)
- install(users[0], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
-}
-
-RUNNER_CHILD_TEST(security_manager_53_app_has_privilege)
-{
- const char *const sm_app_id = "sm_test_53_app";
- const char *const sm_pkg_id = "sm_test_53_pkg";
- const std::string new_user_name = "sm_test_47_user_name";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- for (auto const &privilege : SM_ALLOWED_PRIVILEGES)
- requestInst.addPrivilege(privilege.c_str());
- Api::install(requestInst);
-
- for (auto const &privilege : SM_ALLOWED_PRIVILEGES) {
- int result;
- Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
- result);
- RUNNER_ASSERT_MSG(result == 1, "Application " << sm_app_id <<
- " should have access to privilege " << privilege);
- }
+ const char *const pkgId[] = {"sm_test_09_pkg_id_0", "sm_test_09_pkg_id_1"};
+ const char *const appId[] = {"sm_test_09_app_id_0", "sm_test_09_app_id_1"};
+ const char *const version[] = {"sm_test_09_version_0", "sm_test_09_version_1"};
+ const char *const author[] = {"sm_test_09_author_0", "sm_test_09_author_1"};
+ bool hybrid[] = {false, true};
+
+ // uid_0, pkg_0, app_0, version_0, author_0, not hybrid
+ install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
+ // uid_1, pkg_0, app_0, version_0, author_0, not hybrid -> ok (different uid)
+ install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
+ // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> fail (different hybrid setting)
+ install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> fail (different hybrid setting)
+ install(users[0], pkgId[0], appId[1], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> fail (different hybrid setting)
+ install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> fail (author of app_0 must be the same)
+ install(users[1], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> fail (version of app_0 must be the same)
+ install(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_1, app_0, version_0, author_0, not hybrid -> fail (pkg of app_0 must be the same)
+ install(users[1], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok (the same app again)
+ install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
+ // uid_0, pkg_1, app_0, version_0, author_0, not hybrid -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_1, author_0, not hybrid -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_0, author_1, not hybrid -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
- for (auto const &privilege : SM_DENIED_PRIVILEGES) {
- int result;
- Api::appHasPrivilege(sm_app_id, privilege.c_str(), TzPlatformConfig::getGlobalUserId(),
- result);
- RUNNER_ASSERT_MSG(result == 0, "Application " << sm_app_id <<
- " should not have access to privilege " << privilege);
- }
+RUNNER_CHILD_TEST(security_manager_10_app_has_privilege)
+{
+ const std::vector<std::string> allowedPrivs = {
+ "http://tizen.org/privilege/wifidirect",
+ "http://tizen.org/privilege/telephony"
+ };
+ const std::vector<std::string> someDeniedPrivs = {
+ "http://tizen.org/privilege/vpnservice",
+ "http://tizen.org/privilege/notification"
+ };
+ AppInstallHelper app("sm_test_10");
+ app.addPrivileges(allowedPrivs);
+ ScopedInstaller appInstall(app);
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
- Api::uninstall(requestUninst);
+ sm_app_has_privileges(app, allowedPrivs, 1);
+ // FIXME - all other existing privileges should be checked
+ sm_app_has_privileges(app, someDeniedPrivs, 0);
}
-RUNNER_TEST_GROUP_INIT(SECRUTIY_MANAGER_POLICY)
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY)
-RUNNER_TEST(security_manager_18_user_cynara_policy)
+RUNNER_TEST(security_manager_20_user_cynara_policy)
{
+ // FIXME - whitebox - cynara
const char *const MAIN_BUCKET = "MAIN";
const char *const MANIFESTS_BUCKET = "MANIFESTS";
const char *const ADMIN_BUCKET = "ADMIN";
const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
- const std::string username("sm_test_10_user_cynara_policy");
CynaraTestAdmin::Admin admin;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser user("sm_test_20_user_name", GUM_USERTYPE_NORMAL, false);
user.create();
std::string uid_string = user.getUidString();
char buf[BUFFER_SIZE];
} msg;
- privileges_t admin_required_privs = {
- "http://tizen.org/privilege/notexist",
- "http://tizen.org/privilege/internal/usermanagement"};
- privileges_t manifest_privs = {
- "http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/datasharing"};
- privileges_t real_privs_allow = {"http://tizen.org/privilege/datasharing"};
- privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
-
- const std::string pirivman_id = "sm_test_13_ADMIN_APP";
- const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
- const std::string app_id = "sm_test_13_SOME_APP";
- const std::string pkg_id = "sm_test_13_SOME_PKG";
-
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
- pid = fork();
+ const privileges_t adminRequiredPrivs = {
+ "http://tizen.org/privilege/notexist",
+ "http://tizen.org/privilege/internal/usermanagement"
+ };
+ const privileges_t manifestPrivs = {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/datasharing"
+ };
+ const privileges_t allowedPrivsAfterChange = {"http://tizen.org/privilege/datasharing"};
+ const privileges_t deniedPrivsAfterChange = {"http://tizen.org/privilege/internet"};
+
+ MessagePipe msgPipe;
+
+ pid_t pid = fork();
RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
if (pid != 0)//parent process
{
- TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, false);
- TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, false);
-
- InstallRequest request,request2;
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- admin.create();
- child.create();
- std::string childuidstr = child.getUidString();
-
- //install privacy manager for admin
- request.setAppId(pirivman_id.c_str());
- request.setPkgId(pirivman_pkg_id.c_str());
- request.setUid(admin.getUid());
- for (auto &priv: admin_required_privs)
- request.addPrivilege(priv.c_str());
- Api::install(request);
-
- //install app for child that has internet privilege
- request2.setAppId(app_id.c_str());
- request2.setPkgId(pkg_id.c_str());
- request2.setUid(child.getUid());
- for (auto &priv: manifest_privs)
- request2.addPrivilege(priv.c_str());
- Api::install(request2);
-
- check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
- manifest_privs, SM_NO_PRIVILEGES);
+ msgPipe.claimParentEp();
+ TemporaryTestUser adminUser("sm_test_21_admin_user_name", GUM_USERTYPE_ADMIN, false);
+ TemporaryTestUser normalUser("sm_test_21_normal_user_name", GUM_USERTYPE_NORMAL, false);
- //send info to child
- msg.uid = admin.getUid();
- msg.gid = admin.getGid();
- strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
+ adminUser.create();
+ normalUser.create();
+ std::string childUidStr = normalUser.getUidString();
+
+ AppInstallHelper adminApp("sm_test_21_admin", adminUser.getUid());
+ adminApp.createInstallDir();
+ adminApp.addPrivileges(adminRequiredPrivs);
+ ScopedInstaller adminAppInstall(adminApp);
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+ AppInstallHelper normalApp("sm_test_21_normal", normalUser.getUid());
+ normalApp.createInstallDir();
+ normalApp.addPrivileges(manifestPrivs);
+
+ ScopedInstaller normalAppInstall(normalApp);
+ check_app_permissions(normalApp.getAppId(), normalApp.getPkgId(), childUidStr,
+ manifestPrivs, {});
+
+ //send info to child
+ msg.uid = adminUser.getUid();
+ msg.gid = adminUser.getGid();
+ strncpy (msg.buf, childUidStr.c_str(), BUFFER_SIZE);
+ msgPipe.write(msg);
waitPid(pid);
- check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
- real_privs_allow, real_privs_deny);
+ check_app_permissions(normalApp.getAppId(), normalApp.getPkgId(), childUidStr,
+ allowedPrivsAfterChange, deniedPrivsAfterChange);
}
- if (pid == 0)//child
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
+ if (pid == 0) {
+ msgPipe.claimChildEp();
+ // Get created user credentials
+ msgPipe.read(msg);
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+ AppInstallHelper adminApp("sm_test_21_admin");
+ Api::setProcessLabel(adminApp.getAppId());
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(msg.uid, msg.gid) == 0, "drop_root_privileges failed");
- //become admin privacy manager manager
- Api::setProcessLabel(pirivman_id.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
PolicyRequest addPolicyReq;
- //change rights
- for (auto &denypriv:real_privs_deny) {
- /*this entry will deny some privileges for user whose uid (as c string)
- was sent in message's buf field.
- That user would be denying internet for child in this case*/
- PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
+ for (auto &deniedPriv : deniedPrivsAfterChange) {
+ PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, deniedPriv);
entry.setMaxLevel("Deny");
addPolicyReq.addEntry(entry);
}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
-RUNNER_TEST(security_manager_19_security_manager_cmd_install)
+RUNNER_TEST(security_manager_22_security_manager_cmd_install)
{
int ret;
const int SUCCESS = 0;
const int FAILURE = 256;
- const std::string app_id = "security_manager_10_app";
- const std::string pkg_id = "security_manager_10_pkg";
- const std::string username("sm_test_10_user_name");
+ const std::string app_id = "sm_test_22_app_id";
+ const std::string pkg_id = "sm_test_22_pkg_id";
+ const std::string username("sm_test_22_user_name");
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL);
user.create();
- std::string uid_string = user.getUidString();
+
const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
const std::string pkgopt = " --pkg=" + pkg_id;
const std::string appopt = " --app=" + app_id;
- const std::string uidopt = " --uid=" + uid_string;
+ const std::string uidopt = " --uid=" + user.getUidString();
mktreeSafe(path1.c_str(), 0);
mktreeSafe(path2.c_str(), 0);
}
}
-RUNNER_TEST(security_manager_20_security_manager_cmd_users)
+RUNNER_TEST(security_manager_23_security_manager_cmd_users)
{
- int ret;
const int SUCCESS = 0;
const int FAILURE = 256;
- const std::string username("sm_test_11_user_name");
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser user("sm_test_23_user_name", GUM_USERTYPE_NORMAL, false);
user.create();
- std::string uid_string = user.getUidString();
- const std::string uidopt = " --uid=" + uid_string;
+ const std::string uidopt = " --uid=" + user.getUidString();
struct operation {
std::string command;
};
for (auto &op : operations) {
- ret = system((op.command + " 1>/dev/null 2>&1").c_str());
+ int ret = system((op.command + " 1>/dev/null 2>&1").c_str());
RUNNER_ASSERT_MSG(ret == op.expected_result,
"Unexpected result for command '" << op.command <<"': "
<< ret << " Expected was: "<< op.expected_result);
}
}
-std::vector<std::string> readPrivilegeGroups()
-{
- std::vector<std::string> groups;
- const static std::string privilegeGroupMappingPath("/usr/share/security-manager/policy/privilege-group.list");
- std::ifstream mappingFile(privilegeGroupMappingPath);
-
- RUNNER_ASSERT_MSG(mappingFile.is_open(),
- "Unable to read group mapping file " << privilegeGroupMappingPath);
-
- std::string line;
- std::regex r("^[^ #]+ +(.*)");
- while (std::getline(mappingFile, line)) {
- std::smatch m;
- if (std::regex_search(line, m, r))
- groups.push_back(m[1]);
- }
-
- return groups;
-}
-
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
-RUNNER_TEST(security_manager_22_groups_get)
+RUNNER_TEST(security_manager_24_groups_get)
{
- std::unordered_set<std::string> groups;
- auto tmp = readPrivilegeGroups();
- groups.insert(tmp.begin(), tmp.end());
-
+ PolicyConfiguration pc;
char ** c_groups;
size_t count = 0;
Api::getSecurityManagerGroups(&c_groups, &count);
- RUNNER_ASSERT_MSG(count == groups.size(), "security_manager_groups_get should set count to: "
- << groups.size() << " but count is: " << count);
+ std::unique_ptr<char *, std::function<void(char **)>> groupsPtr(c_groups, [count] (char ** groups) {
+ security_manager_groups_free(groups, count);
+ });
+
+ auto policyGroups = pc.getGroup();
+ RUNNER_ASSERT_MSG(count == policyGroups.size(), "security_manager_groups_get should set count to: "
+ << policyGroups.size() << " but count is: " << count);
- for (const auto &group : groups) {
+ for (const auto &group : policyGroups) {
bool found = false;
for (size_t i = 0; i < count; ++i) {
if (group == c_groups[i]) {
}
RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
}
- security_manager_groups_free(c_groups, count);
}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
-RUNNER_TEST(security_manager_49a_global_user_set_install_type_global)
+RUNNER_TEST(security_manager_25a_global_user_set_install_type_global)
{
- const char *const sm_app_id = "sm_test_49a_app_id_global";
- const char *const sm_pkg_id = "sm_test_49a_pkg_id_global";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- requestInst.setInstallType(SM_APP_INSTALL_GLOBAL);
-
- Api::install(requestInst);
-
- // Check records in the security-manager database
- check_app_after_install(sm_app_id, sm_pkg_id);
-
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ AppInstallHelper app("sm_test_25a");
+ app.setInstallType(SM_APP_INSTALL_GLOBAL);
+ {
+ ScopedInstaller appInstall(app);
- Api::uninstall(requestUninst);
+ // FIXME - whitebox - db
+ check_app_after_install(app.getAppId(), app.getPkgId());
+ }
// Check records in the security-manager database
- check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
}
-RUNNER_TEST(security_manager_49b_global_user_set_install_type_local)
+RUNNER_TEST(security_manager_25b_global_user_set_install_type_local)
{
- const char *const sm_app_id = "sm_test_49b_app_id_local";
- const char *const sm_pkg_id = "sm_test_49b_pkg_id_local";
+ AppInstallHelper app("sm_test_25b");
InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ requestInst.setAppId(app.getAppId());
+ requestInst.setPkgId(app.getPkgId());
requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
}
-RUNNER_TEST(security_manager_49c_global_user_set_install_type_preloaded)
+RUNNER_TEST(security_manager_25c_global_user_set_install_type_preloaded)
{
- const char *const sm_app_id = "sm_test_49c_app_id_preloaded";
- const char *const sm_pkg_id = "sm_test_49c_pkg_id_preloaded";
+ AppInstallHelper app("sm_test_25c");
+ app.setInstallType(SM_APP_INSTALL_PRELOADED);
+ {
+ ScopedInstaller appInstall(app);
+ // FIXME - whitebox - db
+ check_app_after_install(app.getAppId(), app.getPkgId());
+ }
+ // FIXME - whitebox - db
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+}
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- requestInst.setInstallType(SM_APP_INSTALL_PRELOADED);
+RUNNER_TEST(security_manager_25d_local_user_set_install_type_invalid)
+{
+ InstallRequest requestPrivateUser;
+ requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
- Api::install(requestInst);
+/*
+ * It is possible for local user to install global application but one needs app_install privileges
+ * By default only global user or root can install global apps (or "User", "System", "System::Privileged"...)
+ */
+RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
+{
+ TemporaryTestUser testUser("sm_test_25e_user_name", GUM_USERTYPE_NORMAL);
+ testUser.create();
- // Check records in the security-manager database
- check_app_after_install(sm_app_id, sm_pkg_id);
+ AppInstallHelper app("sm_test_25e");
+ app.createInstallDir();
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ change_label("_");
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
- Api::uninstall(requestUninst);
+ InstallRequest invalidReq;
+ invalidReq.setAppId(app.getAppId());
+ invalidReq.setPkgId(app.getPkgId());
+ invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
- // Check records in the security-manager database
- check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+ Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
}
-RUNNER_CHILD_TEST(security_manager_49d_local_user_set_install_type_global)
+RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
{
- int result;
- const char *const sm_app_id = "sm_test_49d_app_id_global";
- const char *const sm_pkg_id = "sm_test_49d_pkg_id_global";
- const std::string new_user_name = "sm_test_49d_user_name";
-
- TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser testUser("sm_test_25f_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- removeTestDirs(testUser, sm_app_id, sm_pkg_id);
- createTestDirs(testUser, sm_app_id, sm_pkg_id);
+ AppInstallHelper app("sm_test_25f");
+ app.createInstallDir();
+
+ change_label("_");
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
+ InstallRequest invalidReq;
+ invalidReq.setAppId(app.getAppId());
+ invalidReq.setPkgId(app.getPkgId());
+ invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
+ Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
- const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
- //switch user to non-root
- result = drop_root_privileges(testUser.getUid(), testUser.getGid());
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local)
+{
+ std::vector<std::string> allowedPrivs = {
+ "http://tizen.org/privilege/volume.set",
+ "http://tizen.org/privilege/systemmonitor",
+ "http://tizen.org/privilege/recorder"
+ };
+ std::vector<std::string> someDeniedPrivs = {
+ "http://tizen.org/privilege/push",
+ "http://tizen.org/privilege/power",
+ "http://tizen.org/privilege/notification"
+ };
- InstallRequest requestPrivateUser;
- prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
- false);
+ TemporaryTestUser testUser("sm_test_25g_user_name", GUM_USERTYPE_NORMAL);
+ testUser.create();
- requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
- requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
- requestPrivateUser.setInstallType(SM_APP_INSTALL_GLOBAL);
+ AppInstallHelper app("sm_test_25g", testUser.getUid());
+ app.createInstallDir();
+ app.createPrivateDir();
+ app.setInstallType(SM_APP_INSTALL_LOCAL);
+ app.addPrivileges(allowedPrivs);
- for (auto &privilege : SM_ALLOWED_PRIVILEGES)
- requestPrivateUser.addPrivilege(privilege.c_str());
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
+ {
+ ScopedInstaller appInstall(app);
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
+ allowedPrivs, someDeniedPrivs);
- /*
- * It is possible for local user to install global application but one needs app_install privileges
- * By default only global user or root can install global apps
- */
- Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+ }
+ check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
+ {}, merge(allowedPrivs, someDeniedPrivs));
+ // TODO - check if app is properly uninstalled
}
-RUNNER_CHILD_TEST(security_manager_49e_local_user_set_install_type_local)
+RUNNER_CHILD_TEST(security_manager_25h_local_path_global_install)
{
- int result;
- const char *const sm_app_id = "sm_test_49e_app_id_local";
- const char *const sm_pkg_id = "sm_test_49e_pkg_id_local";
- const std::string new_user_name = "sm_test_49e_user_name";
-
- TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser testUser("sm_test_25h_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- removeTestDirs(testUser, sm_app_id, sm_pkg_id);
- createTestDirs(testUser, sm_app_id, sm_pkg_id);
-
- const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
-
- //switch user to non-root
- result = drop_root_privileges(testUser.getUid(), testUser.getGid());
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- InstallRequest requestPrivateUser;
- prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
- false);
+ AppInstallHelper app("sm_test_25h", testUser.getUid());
+ app.createInstallDir();
+ app.createPrivateDir();
- requestPrivateUser.setInstallType(SM_APP_INSTALL_LOCAL);
-
- for (auto &privilege : SM_ALLOWED_PRIVILEGES)
- requestPrivateUser.addPrivilege(privilege.c_str());
-
- Api::install(requestPrivateUser);
-
- check_app_permissions(sm_app_id, sm_pkg_id,
- testUser.getUidString().c_str(),
- SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+ InstallRequest invalidReq;
+ invalidReq.setAppId(app.getAppId());
+ invalidReq.setPkgId(app.getPkgId());
+ invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
+ invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
+ Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
- //uninstall app as non-root user
- InstallRequest request;
- request.setAppId(sm_app_id);
+RUNNER_CHILD_TEST(security_manager_25i_local_path_preloaded_install)
+{
+ TemporaryTestUser testUser("sm_test_25i_user_name", GUM_USERTYPE_NORMAL);
+ testUser.create();
- Api::uninstall(request);
+ AppInstallHelper app("sm_test_25i", testUser.getUid());
+ app.createInstallDir();
+ app.createPrivateDir();
- check_app_permissions(sm_app_id, sm_pkg_id,
- testUser.getUidString().c_str(),
- SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+ InstallRequest invalidReq;
+ invalidReq.setAppId(app.getAppId());
+ invalidReq.setPkgId(app.getPkgId());
+ invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
+ invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
+ Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
}
-RUNNER_CHILD_TEST(security_manager_49f_local_user_set_install_type_preloaded)
+RUNNER_CHILD_TEST(security_manager_25j_global_path_local_install)
{
- int result;
- const char *const sm_app_id = "sm_test_49f_app_id_preloaded";
- const char *const sm_pkg_id = "sm_test_49f_pkg_id_preloaded";
- const std::string new_user_name = "sm_test_49f_user_name";
-
- TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser testUser("sm_test_25j_user_name", GUM_USERTYPE_NORMAL);
testUser.create();
- removeTestDirs(testUser, sm_app_id, sm_pkg_id);
- createTestDirs(testUser, sm_app_id, sm_pkg_id);
+ AppInstallHelper appLocal("sm_test_25j", testUser.getUid());
- const std::string userAppDirPath = TzPlatformConfig::appDirPath(testUser, sm_app_id, sm_pkg_id);
+ AppInstallHelper appGlobal("sm_test_25");
+ appGlobal.createPrivateDir();
- //switch user to non-root
- result = drop_root_privileges(testUser.getUid(), testUser.getGid());
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
+ "drop_root_privileges failed");
- InstallRequest requestPrivateUser;
- prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
- SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
- false);
+ InstallRequest invalidReq;
+ invalidReq.setAppId(appLocal.getAppId());
+ invalidReq.setPkgId(appLocal.getPkgId());
+ invalidReq.addPath(appGlobal.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
+ invalidReq.setInstallType(SM_APP_INSTALL_LOCAL);
- requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
- requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
- requestPrivateUser.setInstallType(SM_APP_INSTALL_PRELOADED);
-
- for (auto &privilege : SM_ALLOWED_PRIVILEGES)
- requestPrivateUser.addPrivilege(privilege.c_str());
-
- /*
- * It is possible for local user to install preloaded application but one needs app_install privileges
- * By default only global user or root can install preloaded apps
- */
- Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+ Api::install(invalidReq, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
}
+