namespace PasswdAccess {
uid_t uid(const std::string &username);
- void allUser(const std::string &username, uid_t &uid, gid_t &gid) {
+ void allUser(const std::string &username, uid_t &uid, gid_t &gid);
gid_t gid(const std::string &groupname);
} // namespace PasswdAccess
${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_commons.cpp
${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_file_operations.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases.cpp
+ ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_privacy_manager.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/security_manager_tests.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_api.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_commons.cpp
check_app_after_install(app_id, pkg_id);
}
-
void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed,
app_install_type type, bool check_after)
{
DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
+struct app_attributes {
+ std::string package;
+ std::string Tizen_ver;
+};
+
const int FTW_MAX_FDS = 16;
extern const privileges_t SM_ALLOWED_PRIVILEGES;
extern const privileges_t SM_DENIED_PRIVILEGES;
extern const privileges_t SM_NO_PRIVILEGES;
extern const std::vector<std::string> SM_ALLOWED_GROUPS;
-
static const char *const SM_RW_PATH = "/opt/usr/apps/sm_test_02_pkg_id_full/app_dir";
const std::string uidToStr(const uid_t uid);
RUNNER_ASSERT_ERRNO_MSG(0 == setuid(uid), "Error in setuid.");
}
-
static const char *const SM_TRUSTED_PATH = "/opt/usr/apps/sm_test_02_pkg_id_full/app_dir_trusted";
-
-static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
-static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
-static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
-static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
-
-static const std::vector<std::string> MANY_APPS = {
- "security_manager_10_app_1",
- "security_manager_10_app_2",
- "security_manager_10_app_3",
- "security_manager_10_app_4",
- "security_manager_10_app_5"
-};
-
-struct app_attributes {
- std::string package;
- std::string Tizen_ver;
-};
static const std::map<std::string, struct app_attributes> MANY_APPS_PKGS = {
{"security_manager_10_app_1", {"security_manager_10_pkg_1", "2.1"}},
{"security_manager_10_app_2", {"security_manager_10_pkg_2", "3.0"}},
{"security_manager_10_app_3", {"security_manager_10_pkg_3", "2.1.1"}},
{"security_manager_10_app_4", {"security_manager_10_pkg_4", "3.1"}},
- {"security_manager_10_app_5", {"security_manager_10_pkg_5", "2.2"}},
- {PRIVILEGE_MANAGER_APP, {PRIVILEGE_MANAGER_PKG, "3.0"}}
-};
-
-static const std::vector<privileges_t> MANY_APPS_PRIVILEGES = {
- {
- "http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/display"
- },
- {
- "http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/datasharing"
- },
- {
- "http://tizen.org/privilege/content.write",
- "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/email"
- },
- {
- "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/email",
- "http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/datasharing"
- },
- {
- "http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/display",
- "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/email"
- }
-};
-
-static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
-{
- InstallRequest request;
- request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
- request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
- request.setUid(uid);
- request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
- if (forAdmin)
- request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
- Api::install(request);
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ {"security_manager_10_app_5", {"security_manager_10_pkg_5", "2.2"}}
};
void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
}
}
-RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
-{
- //TEST DATA
- const std::string username("sm_test_10_user_name");
- unsigned int privileges_count = 0;
-
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
-
- for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- MANY_APPS.at(i), std::set<std::string>(
- MANY_APPS_PRIVILEGES.at(i).begin(),
- MANY_APPS_PRIVILEGES.at(i).end())));
- privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
- };
-
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
- ++privileges_count;
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
- //TEST DATA END
-
- SynchronizationPipe pipe;
- pid_t pid = fork();
-
- if (pid != 0) { //parent process
- pipe.claimParentEp();
- TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
- tmpUser.create();
-
- for(const auto &user : users2AppsMap) {
-
- for(const auto &app : user.second) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(tmpUser.getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
-
- //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
- };
-
- //Start child process
- pipe.post();
- waitPid(pid);
-
- tmpUser.remove();
- } else { //child process
- pipe.claimChildEp();
- pipe.wait();
-
- uid_t uid; gid_t gid;
- PasswdAccess::allUser(username, uid, gid);
- std::string uidStr = std::to_string(uid);
- register_current_process_as_privilege_manager(uid);
- int result = drop_root_privileges(uid, gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- std::vector<PolicyEntry> policyEntries;
- PolicyEntry filter;
- Api::getPolicy(filter, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
-
- for (const auto &policyEntry : policyEntries) {
- std::string user = policyEntry.getUser();
- std::string app = policyEntry.getAppId();
- std::string privilege = policyEntry.getPrivilege();
-
- RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user);
-
- try {
- std::set<std::string>::iterator tmp = users2AppsMap.at(username).at(app).find(privilege);
- if (tmp == users2AppsMap.at(username).at(app).end())
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
- };
- };
- exit(0);
- };
-}
-
-RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
-{
- //TEST DATA
- const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
- unsigned int privileges_count = 0;
-
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
-
- for (const auto &username : usernames) {
- //Only entries for one of the users will be listed
- privileges_count = 0;
-
- for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- MANY_APPS.at(i), std::set<std::string>(
- MANY_APPS_PRIVILEGES.at(i).begin(),
- MANY_APPS_PRIVILEGES.at(i).end())));
- privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
- };
-
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
- };
-
- users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
-
- ++privileges_count;
- //TEST DATA END
-
- SynchronizationPipe pipe;
- pid_t pid = fork();
-
- if (pid != 0) { //parent process
- pipe.claimParentEp();
- std::vector<TemporaryTestUser> users = {
- TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
- };
-
- users.at(0).create();
- users.at(1).create();
-
- //Install apps for both users
- for(const auto &user : users) {
- for(const auto &app : users2AppsMap.at(user.getUserName())) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(user.getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
-
- //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
- };
-
- //Start child
- pipe.post();
- waitPid(pid);
-
- for (auto &user : users)
- user.remove();
-
- } else { //child process
- pipe.claimChildEp();
- pipe.wait();
-
- uid_t uid; gid_t gid;
- PasswdAccess::allUser(usernames.at(0), uid, gid);
- std::string uidStr = std::to_string(uid);
- register_current_process_as_privilege_manager(uid);
-
- //change uid to normal user
- errno = 0;
- int result = drop_root_privileges(uid, gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- std::vector<PolicyEntry> policyEntries;
- PolicyEntry filter;
-
- //this call should only return privileges belonging to the current uid
- Api::getPolicy(filter, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
-
- for (const auto &policyEntry : policyEntries) {
- std::string user = policyEntry.getUser();
- std::string app = policyEntry.getAppId();
- std::string privilege = policyEntry.getPrivilege();
-
- RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user);
-
- try {
- std::set<std::string>::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege);
- if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end())
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what());
- };
- };
- exit(0);
- };
-}
-
-RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
-{
- std::vector<PolicyEntry> oldPolicyVec;
- Api::getPolicy(PolicyEntry(), oldPolicyVec);
- std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
-
- //TEST DATA
- const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
- unsigned int privileges_count = oldPolicyVec.size();
-
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
-
- for (const auto &username : usernames) {
- for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- MANY_APPS.at(i), std::set<std::string>(
- MANY_APPS_PRIVILEGES.at(i).begin(),
- MANY_APPS_PRIVILEGES.at(i).end())));
- privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
- };
-
- users2AppsMap.insert(std::make_pair(username, apps2PrivsMap));
- };
-
- users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP,
- std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
-
- privileges_count += 2;
- //TEST DATA END
-
- SynchronizationPipe pipe;
- pid_t pid = fork();
-
- if (pid != 0) { //parent process
- pipe.claimParentEp();
- std::vector<TemporaryTestUser> users = {
- TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
- };
-
- users.at(0).create();
- users.at(1).create();
- //Install apps for both users
- for(const auto &user : users) {
- for(const auto &app : users2AppsMap.at(user.getUserName())) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(user.getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
-
- //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
- };
-
- //Start child process
- pipe.post();
- waitPid(pid);
-
- for (auto &user : users)
- user.remove();
-
- } else { //child process
- pipe.claimChildEp();
- pipe.wait();
-
- uid_t normalUid;
- gid_t normalGid;
- PasswdAccess::allUser(usernames.at(1), normalUid, normalUid);
- std::string normalUidStr = std::to_string(normalUid);
- uid_t adminUid = PasswdAccess::uid(usernames.at(0));
- std::string adminUidStr = std::to_string(adminUid);
- register_current_process_as_privilege_manager(normalUid, true);
-
- //change uid to normal user
- int result = drop_root_privileges(normalUid, normalGid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
-
- std::vector<PolicyEntry> policyEntries;
- //this call should succeed as the calling user is privileged
- Api::getPolicy(PolicyEntry(), policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
-
- for (const auto &policyEntry : policyEntries) {
- if (oldPolicySet.count(policyEntry))
- continue;
-
- std::string user = policyEntry.getUser();
- std::string app = policyEntry.getAppId();
- std::string privilege = policyEntry.getPrivilege();
-
- RUNNER_ASSERT_MSG(user == normalUid || user == adminUid, "Unexpected user: " << user);
-
- std::string uidStrToLook = user == normalUid ? usernames.at(0) : usernames.at(1);
-
- try {
- std::set<std::string>::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege);
- if (tmp == users2AppsMap.at(uidStrToLook).at(app).end())
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
- } catch (const std::invalid_argument& e) {
- RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
- };
- };
-
- exit(0);
- };
-}
-
-RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
-{
- //TEST DATA
- const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
-
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
-
- for (const auto &username : usernames) {
-
- for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- MANY_APPS.at(i), std::set<std::string>(
- MANY_APPS_PRIVILEGES.at(i).begin(),
- MANY_APPS_PRIVILEGES.at(i).end())));
- };
-
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
- };
-
- users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
-
- //TEST DATA END
-
- pid_t pid[2];
- SynchronizationPipe sync[2];
- std::vector<PolicyEntry> policyEntries;
-
- pid[0] = fork();
-
- if (pid[0] == 0) { //child #1 process
- sync[0].claimChildEp();
- sync[0].wait();
-
- uid_t uid; gid_t gid;
- PasswdAccess::allUser(usernames.at(0), uid, gid);
- register_current_process_as_privilege_manager(uid);
-
- //change uid to normal user
- int result = drop_root_privileges(uid, gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- PolicyEntry filter;
- PolicyRequest policyRequest;
-
- PolicyEntry policyEntry(
- MANY_APPS[0],
- std::to_string(uid),
- "http://tizen.org/privilege/internet"
- );
- policyEntry.setLevel("Deny");
-
- policyRequest.addEntry(policyEntry);
- policyEntry = PolicyEntry(
- MANY_APPS[1],
- std::to_string(uid),
- "http://tizen.org/privilege/display"
- );
- policyEntry.setLevel("Deny");
-
- policyRequest.addEntry(policyEntry);
- Api::sendPolicy(policyRequest);
-
- exit(0);
- } else { //parent process
- sync[0].claimParentEp();
- pid[1] = fork();
-
- if (pid[1] == 0) { //child #2 process
- sync[1].claimChildEp();
- sync[1].wait();
-
- uid_t target_uid = PasswdAccess::uid(usernames.at(0));
- uid_t my_uid;
- gid_t my_gid;
- PasswdAccess::allUser(usernames.at(1), my_uid, my_gid);
-
- register_current_process_as_privilege_manager(my_uid);
-
- //change uid to normal user
- int result = drop_root_privileges(my_uid, my_gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- PolicyEntry filter = PolicyEntry(
- SECURITY_MANAGER_ANY,
- std::to_string(target_uid),
- SECURITY_MANAGER_ANY
- );
-
- //U2 requests contents of U1 privacy manager - should fail
- Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
-
- filter = PolicyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY
- );
-
- policyEntries.clear();
-
- //U2 requests contents of ADMIN bucket - should fail
- Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
- exit(0);
- } else { //parent
- sync[1].claimParentEp();
- std::vector<TemporaryTestUser> users = {
- TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false)
- };
-
- users.at(0).create();
- users.at(1).create();
-
- //Install apps for both users
- for(const auto &user : users2AppsMap) {
-
- for(const auto &app : user.second) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(users.at(0).getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
-
- //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
- };
-
- //Start child #1
- sync[0].post();
- waitPid(pid[0]);
-
- //Start child #2
- sync[1].post();
- waitPid(pid[1]);
-
- for (auto &user : users)
- user.remove();
- };
- };
-}
-
-RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
-{
- //TEST DATA
- const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
- unsigned int privileges_count = 0;
-
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
-
- for (const auto &username : usernames) {
-
- for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- MANY_APPS.at(i), std::set<std::string>(
- MANY_APPS_PRIVILEGES.at(i).begin(),
- MANY_APPS_PRIVILEGES.at(i).end())));
- privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
- };
-
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
- };
-
- users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
-
- privileges_count += 2;
- //TEST DATA END
- SynchronizationPipe pipe;
-
- pid_t pid = fork();
- if (pid != 0) {
- pipe.claimParentEp();
- std::vector<TemporaryTestUser> users = {
- TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
- };
-
- users.at(0).create();
- users.at(1).create();
-
- //Install apps for both users
- for(const auto &user : users) {
-
- for(const auto &app : users2AppsMap.at(user.getUserName())) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(user.getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
- };
-
- //Start child process
- pipe.post();
- waitPid(pid);
-
- //switch back to root
- for (auto &user : users)
- user.remove();
-
- } else { //child process
- pipe.claimChildEp();
- pipe.wait();
-
- uid_t uid; gid_t gid;
- PasswdAccess::allUser(usernames.at(1), uid, gid);
- register_current_process_as_privilege_manager(uid, true);
-
- //change uid to normal user
- int result = drop_root_privileges(uid, gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- PolicyRequest *policyRequest = new PolicyRequest();
- PolicyEntry filter;
- std::vector<PolicyEntry> policyEntries;
- //this call should succeed as the calling user is privileged
- Api::getPolicyForSelf(filter, policyEntries);
-
- unsigned int policyNum = policyEntries.size();
-
- PolicyEntry policyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/internet"
- );
- policyEntry.setMaxLevel("Deny");
-
- policyRequest->addEntry(policyEntry);
- policyEntry = PolicyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/display"
- );
- policyEntry.setMaxLevel("Deny");
-
- policyRequest->addEntry(policyEntry);
- Api::sendPolicy(*policyRequest);
- Api::getPolicyForAdmin(filter, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: "
- << policyNum + 2 << " and is " << policyEntries.size());
-
- delete policyRequest;
- policyRequest = new PolicyRequest();
- policyEntry = PolicyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/internet"
- );
- policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
- policyRequest->addEntry(policyEntry);
-
- policyEntry = PolicyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/display"
- );
- policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
-
- policyRequest->addEntry(policyEntry);
- Api::sendPolicy(*policyRequest);
-
- policyEntries.clear();
- Api::getPolicyForAdmin(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
-
- delete policyRequest;
-
- exit(0);
- };
-
-}
-
-RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
-{
- const char *const update_app_id = "security_manager_15_update_app_id";
- const char *const update_privilege = "http://tizen.org/privilege/led";
- const char *const check_start_bucket = "ADMIN";
- const std::string username("sm_test_15_username");
- PolicyRequest addPolicyRequest;
- CynaraTestAdmin::Admin admin;
- ScopedProcessLabel keepLabel;
-
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
- user.create();
-
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- register_current_process_as_privilege_manager(user.getUid(), true);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid);
-
- admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
- }
- if(pid == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
- entry.setMaxLevel("Allow");
-
- addPolicyRequest.addEntry(entry);
- Api::sendPolicy(addPolicyRequest);
- exit(0);
- }
-}
-
-RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
-{
- const char *const update_other_app_id = "security_manager_15_update_other_app_id";
- const char *const update_privilege = "http://tizen.org/privilege/led";
- const char *const check_start_bucket = "ADMIN";
- const std::string username("sm_test_15_username");
- PolicyRequest addPolicyRequest;
- CynaraTestAdmin::Admin admin;
- ScopedProcessLabel keepLabel;
-
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
- user.create();
-
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- register_current_process_as_privilege_manager(user.getUid(), true);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid);
-
- admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
- }
- if(pid == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- // use wildcard as appId
- PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
- entry.setMaxLevel("Allow");
-
- addPolicyRequest.addEntry(entry);
- Api::sendPolicy(addPolicyRequest);
- exit(0);
- }
-}
-
-RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
-{
- const char *const update_app_id = "security_manager_15_update_app_id";
- const char *const update_privilege = "http://tizen.org/privilege/led";
- const char *const check_start_bucket = "";
- const std::string username("sm_test_15_username");
- PolicyRequest addPolicyRequest;
- CynaraTestAdmin::Admin admin;
- ScopedProcessLabel keepLabel;
-
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
- user.create();
-
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- register_current_process_as_privilege_manager(user.getUid(), false);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid);
-
- admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
- }
- if(pid == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
- entry.setLevel("Allow");
-
- addPolicyRequest.addEntry(entry);
- Api::sendPolicy(addPolicyRequest);
- exit(0);
- }
-}
-
-RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
-{
- const std::string username("sm_test_16_user_cynara_policy");
- CynaraTestAdmin::Admin admin;
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
- user.create();
-
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid);
- }
- if(pid == 0)
- {
- int ret;
- char** levels;
- std::string allow_policy, deny_policy;
- size_t count;
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- // 3 should be there when ask-user is installed
- ret = security_manager_policy_levels_get(&levels, &count);
-
- RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
- "Invlid return code: " << ret);
-
- RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast<int>(count));
-
- deny_policy = std::string(levels[0]);
- allow_policy = std::string(levels[count-1]);
- // first should always be Deny
- RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
- "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
- // last should always be Allow
- RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
- "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
-
- security_manager_policy_levels_free(levels, count);
- exit(0);
- }
-}
-
-RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
-{
- const char *const update_app_id = "security_manager_17_update_app_id";
- const char *const update_privilege = "http://tizen.org/privilege/led";
- const char *const check_start_bucket = "";
- const std::string username("sm_test_17_username");
- PolicyRequest addPolicyRequest;
- CynaraTestAdmin::Admin admin;
-
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- int pipefd[2];
- int pipefd2[2];
- pid_t pid[2];
- int result = 0;
- ScopedProcessLabel keepLabel;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
- RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
- user.create();
-
- pid[0] = fork();
- RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed");
- if (pid[0] != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- register_current_process_as_privilege_manager(user.getUid(), false);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid[0]);
-
- admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
-
- pid[1] = fork();
- if (pid[1] != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd2+1);
- close(pipefd2[0]);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid[1]);
-
- admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
- }
- if(pid[1] == 0)
- {
- FdUniquePtr pipeptr(pipefd2);
- close(pipefd2[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- // delete this entry
- PolicyRequest deletePolicyRequest;
- PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
- deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
-
- deletePolicyRequest.addEntry(deleteEntry);
- Api::sendPolicy(deletePolicyRequest);
- exit(0);
- }
- }
- if(pid[0] == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
- entry.setLevel("Allow");
-
- addPolicyRequest.addEntry(entry);
- Api::sendPolicy(addPolicyRequest);
- exit(0);
- }
-}
-
-RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
-{
- const std::string username("sm_test_17_user_name");
-
- struct message {
- uid_t uid;
- gid_t gid;
- unsigned int privileges_count;
- } msg;
-
- int pipefd[2];
- pid_t pid;
- int result = 0;
- ScopedProcessLabel keepLabel;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
- user.create();
-
- unsigned int privileges_count = 0;
-
- for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
- InstallRequest requestInst;
- requestInst.setAppId(MANY_APPS[i].c_str());
- requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).package.c_str());
- requestInst.setUid(user.getUid());
-
- for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) {
- requestInst.addPrivilege(priv.c_str());
- };
-
- Api::install(requestInst);
- privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
- };
-
- register_current_process_as_privilege_manager(user.getUid(), false);
- //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
- ++privileges_count;
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
- msg.privileges_count = privileges_count;
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid);
- }
- if(pid == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- // filter by privilege
- std::vector<PolicyEntry> policyEntries;
- PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
- Api::getPolicy(filter, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
-
- // filter by other privilege
- policyEntries.clear();
- PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
- Api::getPolicy(filter2, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
-
- // filter by appId
- policyEntries.clear();
- PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
- Api::getPolicy(filter3, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
- }
-}
RUNNER_TEST(security_manager_18_user_cynara_policy)
{
} msg;
privileges_t admin_required_privs = {
- PRIVILEGE_MANAGER_SELF_PRIVILEGE,
- PRIVILEGE_MANAGER_ADMIN_PRIVILEGE};
+ "http://tizen.org/privilege/notexist",
+ "http://tizen.org/privilege/internal/usermanagement"};
privileges_t manifest_privs = {
"http://tizen.org/privilege/internet",
"http://tizen.org/privilege/datasharing"};
--- /dev/null
+/*
+ * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <cstdlib>
+#include <map>
+#include <set>
+#include <string>
+#include <sys/types.h>
+#include <unistd.h>
+#include <unordered_set>
+#include <utility>
+#include <vector>
+
+#include <cynara_test_admin.h>
+#include <dpl/test/test_runner.h>
+#include <memory.h>
+#include <passwd_access.h>
+#include <scoped_label.h>
+#include <sm_api.h>
+#include <sm_commons.h>
+#include <sm_policy_request.h>
+#include <sm_request.h>
+#include <synchronization_pipe.h>
+#include <temp_test_user.h>
+#include <tests_common.h>
+
+using namespace SecurityManagerTest;
+
+static const std::vector<std::string> PM_MANY_APPS = {
+ "security_manager_pm_app_1",
+ "security_manager_pm_app_2",
+ "security_manager_pm_app_3",
+ "security_manager_pm_app_4",
+ "security_manager_pm_app_5"
+};
+
+const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
+const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
+const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
+const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
+
+static const std::map<std::string, struct app_attributes> PM_MANY_APPS_PKGS = {
+ {"security_manager_pm_app_1", {"security_manager_pm_pkg_1", "2.1"}},
+ {"security_manager_pm_app_2", {"security_manager_pm_pkg_2", "3.0"}},
+ {"security_manager_pm_app_3", {"security_manager_pm_pkg_3", "2.1.1"}},
+ {"security_manager_pm_app_4", {"security_manager_pm_pkg_4", "3.1"}},
+ {"security_manager_pm_app_5", {"security_manager_pm_pkg_5", "2.2"}},
+ {PRIVILEGE_MANAGER_APP, {PRIVILEGE_MANAGER_PKG, "3.0"}}
+};
+
+static const std::vector<privileges_t> PM_MANY_APPS_PRIVILEGES = {
+ {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/display"
+ },
+ {
+ "http://tizen.org/privilege/telephony",
+ "http://tizen.org/privilege/datasharing"
+ },
+ {
+ "http://tizen.org/privilege/content.write",
+ "http://tizen.org/privilege/led",
+ "http://tizen.org/privilege/email"
+ },
+ {
+ "http://tizen.org/privilege/led",
+ "http://tizen.org/privilege/email",
+ "http://tizen.org/privilege/telephony",
+ "http://tizen.org/privilege/datasharing"
+ },
+ {
+ "http://tizen.org/privilege/internet",
+ "http://tizen.org/privilege/display",
+ "http://tizen.org/privilege/led",
+ "http://tizen.org/privilege/email"
+ }
+};
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
+
+static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
+{
+ InstallRequest request;
+ request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
+ request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
+ request.setUid(uid);
+ request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
+ if (forAdmin)
+ request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
+ Api::install(request);
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+};
+
+RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
+{
+ //TEST DATA
+ const std::string username("sm_test_10_user_name");
+ unsigned int privileges_count = 0;
+
+ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
+ std::map<std::string, std::set<std::string>> apps2PrivsMap;
+
+ for (unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
+ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
+ PM_MANY_APPS.at(i), std::set<std::string>(
+ PM_MANY_APPS_PRIVILEGES.at(i).begin(),
+ PM_MANY_APPS_PRIVILEGES.at(i).end())));
+ privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size();
+ };
+
+ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
+ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
+ ++privileges_count;
+ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
+ //TEST DATA END
+
+ SynchronizationPipe pipe;
+ pid_t pid = fork();
+
+ if (pid != 0) { //parent process
+ pipe.claimParentEp();
+ TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
+ tmpUser.create();
+
+ for(const auto &user : users2AppsMap) {
+ for(const auto &app : user.second) {
+ InstallRequest requestInst;
+ requestInst.setAppId(app.first.c_str());
+ try {
+ requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
+ } catch (const std::out_of_range &e) {
+ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
+ };
+ requestInst.setUid(tmpUser.getUid());
+
+ for (const auto &privilege : app.second) {
+ requestInst.addPrivilege(privilege.c_str());
+ };
+
+ Api::install(requestInst);
+ };
+
+ //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
+ };
+
+ //Start child process
+ pipe.post();
+ waitPid(pid);
+
+ tmpUser.remove();
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
+
+ uid_t uid; gid_t gid;
+ PasswdAccess::allUser(username, uid, gid);
+ std::string uidStr = std::to_string(uid);
+ register_current_process_as_privilege_manager(uid);
+ int result = drop_root_privileges(uid, gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ std::vector<PolicyEntry> policyEntries;
+ PolicyEntry filter;
+ Api::getPolicy(filter, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
+
+ for (const auto &policyEntry : policyEntries) {
+ std::string user = policyEntry.getUser();
+ std::string app = policyEntry.getAppId();
+ std::string privilege = policyEntry.getPrivilege();
+
+ RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user);
+
+ try {
+ std::set<std::string>::iterator tmp = users2AppsMap.at(username).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(username).at(app).end())
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
+ } catch (const std::out_of_range &e) {
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
+ };
+ };
+ exit(0);
+ };
+}
+
+RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
+{
+ //TEST DATA
+ const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
+ unsigned int privileges_count = 0;
+
+ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
+ std::map<std::string, std::set<std::string>> apps2PrivsMap;
+
+ for (const auto &username : usernames) {
+ //Only entries for one of the users will be listed
+ privileges_count = 0;
+
+ for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
+ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
+ PM_MANY_APPS.at(i), std::set<std::string>(
+ PM_MANY_APPS_PRIVILEGES.at(i).begin(),
+ PM_MANY_APPS_PRIVILEGES.at(i).end())));
+ privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
+ };
+
+ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
+ };
+
+ users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
+ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
+
+ ++privileges_count;
+ //TEST DATA END
+
+ SynchronizationPipe pipe;
+ pid_t pid = fork();
+
+ if (pid != 0) { //parent process
+ pipe.claimParentEp();
+ std::vector<TemporaryTestUser> users = {
+ TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
+ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
+ };
+
+ users.at(0).create();
+ users.at(1).create();
+
+ //Install apps for both users
+ for(const auto &user : users) {
+ for(const auto &app : users2AppsMap.at(user.getUserName())) {
+ InstallRequest requestInst;
+ requestInst.setAppId(app.first.c_str());
+ try {
+ requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
+ } catch (const std::out_of_range &e) {
+ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
+ };
+ requestInst.setUid(user.getUid());
+
+ for (const auto &privilege : app.second) {
+ requestInst.addPrivilege(privilege.c_str());
+ };
+
+ Api::install(requestInst);
+ };
+
+ //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
+ };
+
+ //Start child
+ pipe.post();
+ waitPid(pid);
+
+ for (auto &user : users)
+ user.remove();
+
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
+
+ uid_t uid; gid_t gid;
+ PasswdAccess::allUser(usernames.at(0), uid, gid);
+ std::string uidStr = std::to_string(uid);
+ register_current_process_as_privilege_manager(uid);
+
+ //change uid to normal user
+ errno = 0;
+ int result = drop_root_privileges(uid, gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ std::vector<PolicyEntry> policyEntries;
+ PolicyEntry filter;
+
+ //this call should only return privileges belonging to the current uid
+ Api::getPolicy(filter, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
+
+ for (const auto &policyEntry : policyEntries) {
+ std::string user = policyEntry.getUser();
+ std::string app = policyEntry.getAppId();
+ std::string privilege = policyEntry.getPrivilege();
+
+ RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user);
+
+ try {
+ std::set<std::string>::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end())
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
+ } catch (const std::out_of_range &e) {
+ RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what());
+ };
+ };
+ exit(0);
+ };
+}
+
+RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
+{
+ std::vector<PolicyEntry> oldPolicyVec;
+ Api::getPolicy(PolicyEntry(), oldPolicyVec);
+ std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
+
+ //TEST DATA
+ const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
+ unsigned int privileges_count = oldPolicyVec.size();
+
+ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
+ std::map<std::string, std::set<std::string>> apps2PrivsMap;
+
+ for (const auto &username : usernames) {
+ for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
+ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
+ PM_MANY_APPS.at(i), std::set<std::string>(
+ PM_MANY_APPS_PRIVILEGES.at(i).begin(),
+ PM_MANY_APPS_PRIVILEGES.at(i).end())));
+ privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
+ };
+
+ users2AppsMap.insert(std::make_pair(username, apps2PrivsMap));
+ };
+
+ users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP,
+ std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
+
+ privileges_count += 2;
+ //TEST DATA END
+
+ SynchronizationPipe pipe;
+ pid_t pid = fork();
+
+ if (pid != 0) { //parent process
+ pipe.claimParentEp();
+ std::vector<TemporaryTestUser> users = {
+ TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
+ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
+ };
+
+ users.at(0).create();
+ users.at(1).create();
+ //Install apps for both users
+ for(const auto &user : users) {
+ for(const auto &app : users2AppsMap.at(user.getUserName())) {
+ InstallRequest requestInst;
+ requestInst.setAppId(app.first.c_str());
+ try {
+ requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
+ } catch (const std::out_of_range &e) {
+ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
+ };
+ requestInst.setUid(user.getUid());
+
+ for (const auto &privilege : app.second) {
+ requestInst.addPrivilege(privilege.c_str());
+ };
+
+ Api::install(requestInst);
+ };
+
+ //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
+ };
+
+ //Start child process
+ pipe.post();
+ waitPid(pid);
+
+ for (auto &user : users)
+ user.remove();
+
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
+
+ uid_t adminUid;
+ gid_t adminGid;
+ PasswdAccess::allUser(usernames.at(1), adminUid, adminGid);
+ std::string adminUidStr = std::to_string(adminUid);
+ uid_t normalUid = PasswdAccess::uid(usernames.at(0));
+ std::string normalUidStr = std::to_string(normalUid);
+ register_current_process_as_privilege_manager(adminUid, true);
+
+ //change uid to normal user
+ int result = drop_root_privileges(adminUid, adminGid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+
+ std::vector<PolicyEntry> policyEntries;
+ //this call should succeed as the calling user is privileged
+ Api::getPolicy(PolicyEntry(), policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
+
+ for (const auto &policyEntry : policyEntries) {
+ if (oldPolicySet.count(policyEntry))
+ continue;
+
+ std::string user = policyEntry.getUser();
+ std::string app = policyEntry.getAppId();
+ std::string privilege = policyEntry.getPrivilege();
+
+ RUNNER_ASSERT_MSG(user == normalUidStr || user == adminUidStr, "Unexpected user: " << user);
+
+ std::string uidStrToLook = user == normalUidStr ? usernames.at(0) : usernames.at(1);
+
+ try {
+ std::set<std::string>::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(uidStrToLook).at(app).end())
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
+ } catch (const std::out_of_range &e) {
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
+ } catch (const std::invalid_argument& e) {
+ RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
+ };
+ };
+
+ exit(0);
+ };
+}
+
+RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
+{
+ //TEST DATA
+ const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
+
+ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
+ std::map<std::string, std::set<std::string>> apps2PrivsMap;
+
+ for (const auto &username : usernames) {
+
+ for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
+ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
+ PM_MANY_APPS.at(i), std::set<std::string>(
+ PM_MANY_APPS_PRIVILEGES.at(i).begin(),
+ PM_MANY_APPS_PRIVILEGES.at(i).end())));
+ };
+
+ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
+ };
+
+ users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
+ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
+
+ //TEST DATA END
+
+ pid_t pid[2];
+ SynchronizationPipe sync[2];
+ std::vector<PolicyEntry> policyEntries;
+
+ pid[0] = fork();
+
+ if (pid[0] == 0) { //child #1 process
+ sync[0].claimChildEp();
+ sync[0].wait();
+
+ uid_t uid; gid_t gid;
+ PasswdAccess::allUser(usernames.at(0), uid, gid);
+ register_current_process_as_privilege_manager(uid);
+
+ //change uid to normal user
+ int result = drop_root_privileges(uid, gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PolicyEntry filter;
+ PolicyRequest policyRequest;
+
+ PolicyEntry policyEntry(
+ PM_MANY_APPS[0],
+ std::to_string(uid),
+ "http://tizen.org/privilege/internet"
+ );
+ policyEntry.setLevel("Deny");
+
+ policyRequest.addEntry(policyEntry);
+ policyEntry = PolicyEntry(
+ PM_MANY_APPS[1],
+ std::to_string(uid),
+ "http://tizen.org/privilege/display"
+ );
+ policyEntry.setLevel("Deny");
+
+ policyRequest.addEntry(policyEntry);
+ Api::sendPolicy(policyRequest);
+
+ exit(0);
+ } else { //parent process
+ sync[0].claimParentEp();
+ pid[1] = fork();
+
+ if (pid[1] == 0) { //child #2 process
+ sync[1].claimChildEp();
+ sync[1].wait();
+
+ uid_t target_uid = PasswdAccess::uid(usernames.at(0));
+ uid_t my_uid;
+ gid_t my_gid;
+ PasswdAccess::allUser(usernames.at(1), my_uid, my_gid);
+
+ register_current_process_as_privilege_manager(my_uid);
+
+ //change uid to normal user
+ int result = drop_root_privileges(my_uid, my_gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PolicyEntry filter = PolicyEntry(
+ SECURITY_MANAGER_ANY,
+ std::to_string(target_uid),
+ SECURITY_MANAGER_ANY
+ );
+
+ //U2 requests contents of U1 privacy manager - should fail
+ Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
+
+ filter = PolicyEntry(
+ SECURITY_MANAGER_ANY,
+ SECURITY_MANAGER_ANY,
+ SECURITY_MANAGER_ANY
+ );
+
+ policyEntries.clear();
+
+ //U2 requests contents of ADMIN bucket - should fail
+ Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
+ exit(0);
+ } else { //parent
+ sync[1].claimParentEp();
+ std::vector<TemporaryTestUser> users = {
+ TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
+ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false)
+ };
+
+ users.at(0).create();
+ users.at(1).create();
+
+ //Install apps for both users
+ for(const auto &user : users2AppsMap) {
+
+ for(const auto &app : user.second) {
+ InstallRequest requestInst;
+ requestInst.setAppId(app.first.c_str());
+ try {
+ requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
+ } catch (const std::out_of_range &e) {
+ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
+ };
+ requestInst.setUid(users.at(0).getUid());
+
+ for (const auto &privilege : app.second) {
+ requestInst.addPrivilege(privilege.c_str());
+ };
+
+ Api::install(requestInst);
+ };
+
+ //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
+ };
+
+ //Start child #1
+ sync[0].post();
+ waitPid(pid[0]);
+
+ //Start child #2
+ sync[1].post();
+ waitPid(pid[1]);
+
+ for (auto &user : users)
+ user.remove();
+ };
+ };
+}
+
+RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
+{
+ //TEST DATA
+ const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
+ unsigned int privileges_count = 0;
+
+ std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
+ std::map<std::string, std::set<std::string>> apps2PrivsMap;
+
+ for (const auto &username : usernames) {
+
+ for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
+ apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
+ PM_MANY_APPS.at(i), std::set<std::string>(
+ PM_MANY_APPS_PRIVILEGES.at(i).begin(),
+ PM_MANY_APPS_PRIVILEGES.at(i).end())));
+ privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
+ };
+
+ users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
+ };
+
+ users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
+ PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
+
+ privileges_count += 2;
+ //TEST DATA END
+ SynchronizationPipe pipe;
+
+ pid_t pid = fork();
+ if (pid != 0) {
+ pipe.claimParentEp();
+ std::vector<TemporaryTestUser> users = {
+ TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
+ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
+ };
+
+ users.at(0).create();
+ users.at(1).create();
+
+ //Install apps for both users
+ for(const auto &user : users) {
+
+ for(const auto &app : users2AppsMap.at(user.getUserName())) {
+ InstallRequest requestInst;
+ requestInst.setAppId(app.first.c_str());
+ try {
+ requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
+ } catch (const std::out_of_range &e) {
+ RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
+ };
+ requestInst.setUid(user.getUid());
+
+ for (const auto &privilege : app.second) {
+ requestInst.addPrivilege(privilege.c_str());
+ };
+
+ Api::install(requestInst);
+ };
+ };
+
+ //Start child process
+ pipe.post();
+ waitPid(pid);
+
+ //switch back to root
+ for (auto &user : users)
+ user.remove();
+
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
+
+ uid_t uid; gid_t gid;
+ PasswdAccess::allUser(usernames.at(1), uid, gid);
+ register_current_process_as_privilege_manager(uid, true);
+
+ //change uid to normal user
+ int result = drop_root_privileges(uid, gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PolicyRequest *policyRequest = new PolicyRequest();
+ PolicyEntry filter;
+ std::vector<PolicyEntry> policyEntries;
+ //this call should succeed as the calling user is privileged
+ Api::getPolicyForSelf(filter, policyEntries);
+
+ unsigned int policyNum = policyEntries.size();
+
+ PolicyEntry policyEntry(
+ SECURITY_MANAGER_ANY,
+ SECURITY_MANAGER_ANY,
+ "http://tizen.org/privilege/internet"
+ );
+ policyEntry.setMaxLevel("Deny");
+
+ policyRequest->addEntry(policyEntry);
+ policyEntry = PolicyEntry(
+ SECURITY_MANAGER_ANY,
+ SECURITY_MANAGER_ANY,
+ "http://tizen.org/privilege/display"
+ );
+ policyEntry.setMaxLevel("Deny");
+
+ policyRequest->addEntry(policyEntry);
+ Api::sendPolicy(*policyRequest);
+ Api::getPolicyForAdmin(filter, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: "
+ << policyNum + 2 << " and is " << policyEntries.size());
+
+ delete policyRequest;
+ policyRequest = new PolicyRequest();
+ policyEntry = PolicyEntry(
+ SECURITY_MANAGER_ANY,
+ SECURITY_MANAGER_ANY,
+ "http://tizen.org/privilege/internet"
+ );
+ policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
+ policyRequest->addEntry(policyEntry);
+
+ policyEntry = PolicyEntry(
+ SECURITY_MANAGER_ANY,
+ SECURITY_MANAGER_ANY,
+ "http://tizen.org/privilege/display"
+ );
+ policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
+
+ policyRequest->addEntry(policyEntry);
+ Api::sendPolicy(*policyRequest);
+
+ policyEntries.clear();
+ Api::getPolicyForAdmin(filter, policyEntries);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
+
+ delete policyRequest;
+
+ exit(0);
+ };
+
+}
+
+RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
+{
+ const char *const update_app_id = "security_manager_15_update_app_id";
+ const char *const update_privilege = "http://tizen.org/privilege/led";
+ const char *const check_start_bucket = "ADMIN";
+ const std::string username("sm_test_15_username");
+ PolicyRequest addPolicyRequest;
+ CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ } msg;
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+ TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
+ user.create();
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ register_current_process_as_privilege_manager(user.getUid(), true);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ waitPid(pid);
+
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
+ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
+ }
+ if(pid == 0)
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ entry.setMaxLevel("Allow");
+
+ addPolicyRequest.addEntry(entry);
+ Api::sendPolicy(addPolicyRequest);
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
+{
+ const char *const update_other_app_id = "security_manager_15_update_other_app_id";
+ const char *const update_privilege = "http://tizen.org/privilege/led";
+ const char *const check_start_bucket = "ADMIN";
+ const std::string username("sm_test_15_username");
+ PolicyRequest addPolicyRequest;
+ CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ } msg;
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+ TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
+ user.create();
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ register_current_process_as_privilege_manager(user.getUid(), true);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ waitPid(pid);
+
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
+ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
+ }
+ if(pid == 0)
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ // use wildcard as appId
+ PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ entry.setMaxLevel("Allow");
+
+ addPolicyRequest.addEntry(entry);
+ Api::sendPolicy(addPolicyRequest);
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
+{
+ const char *const update_app_id = "security_manager_15_update_app_id";
+ const char *const update_privilege = "http://tizen.org/privilege/led";
+ const char *const check_start_bucket = "";
+ const std::string username("sm_test_15_username");
+ PolicyRequest addPolicyRequest;
+ CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ } msg;
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ register_current_process_as_privilege_manager(user.getUid(), false);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ waitPid(pid);
+
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
+ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
+ }
+ if(pid == 0)
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ entry.setLevel("Allow");
+
+ addPolicyRequest.addEntry(entry);
+ Api::sendPolicy(addPolicyRequest);
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
+{
+ const std::string username("sm_test_16_user_cynara_policy");
+ CynaraTestAdmin::Admin admin;
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ } msg;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ waitPid(pid);
+ }
+ if(pid == 0)
+ {
+ int ret;
+ char** levels;
+ std::string allow_policy, deny_policy;
+ size_t count;
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ // 3 should be there when ask-user is installed
+ ret = security_manager_policy_levels_get(&levels, &count);
+
+ RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
+ "Invlid return code: " << ret);
+
+ RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast<int>(count));
+
+ deny_policy = std::string(levels[0]);
+ allow_policy = std::string(levels[count-1]);
+
+ // first should always be Deny
+ RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
+ "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
+
+ // last should always be Allow
+ RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
+ "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
+
+ security_manager_policy_levels_free(levels, count);
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
+{
+ const char *const update_app_id = "security_manager_17_update_app_id";
+ const char *const update_privilege = "http://tizen.org/privilege/led";
+ const char *const check_start_bucket = "";
+ const std::string username("sm_test_17_username");
+ PolicyRequest addPolicyRequest;
+ CynaraTestAdmin::Admin admin;
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ } msg;
+
+ int pipefd[2];
+ int pipefd2[2];
+ pid_t pid[2];
+ int result = 0;
+ ScopedProcessLabel keepLabel;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+ RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
+
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ user.create();
+
+ pid[0] = fork();
+ RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed");
+ if (pid[0] != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ register_current_process_as_privilege_manager(user.getUid(), false);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ waitPid(pid[0]);
+
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
+ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
+
+ pid[1] = fork();
+ if (pid[1] != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd2+1);
+ close(pipefd2[0]);
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ waitPid(pid[1]);
+
+ admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
+ std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
+ }
+ if(pid[1] == 0)
+ {
+ FdUniquePtr pipeptr(pipefd2);
+ close(pipefd2[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ // delete this entry
+ PolicyRequest deletePolicyRequest;
+ PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
+
+ deletePolicyRequest.addEntry(deleteEntry);
+ Api::sendPolicy(deletePolicyRequest);
+ exit(0);
+ }
+ }
+ if(pid[0] == 0)
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ entry.setLevel("Allow");
+
+ addPolicyRequest.addEntry(entry);
+ Api::sendPolicy(addPolicyRequest);
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
+{
+ const std::string username("sm_test_17_user_name");
+
+ struct message {
+ uid_t uid;
+ gid_t gid;
+ unsigned int privileges_count;
+ } msg;
+
+ int pipefd[2];
+ pid_t pid;
+ int result = 0;
+ ScopedProcessLabel keepLabel;
+
+ RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+
+ pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0)//parent process
+ {
+ FdUniquePtr pipeptr(pipefd+1);
+ close(pipefd[0]);
+
+ TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
+ user.create();
+
+ unsigned int privileges_count = 0;
+
+ for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
+ InstallRequest requestInst;
+ requestInst.setAppId(PM_MANY_APPS[i].c_str());
+ requestInst.setPkgId(PM_MANY_APPS_PKGS.at(PM_MANY_APPS[i]).package.c_str());
+ requestInst.setUid(user.getUid());
+
+ for (auto &priv : PM_MANY_APPS_PRIVILEGES.at(i)) {
+ requestInst.addPrivilege(priv.c_str());
+ };
+
+ Api::install(requestInst);
+ privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size();
+ };
+
+ register_current_process_as_privilege_manager(user.getUid(), false);
+ //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
+ ++privileges_count;
+
+ //send info to child
+ msg.uid = user.getUid();
+ msg.gid = user.getGid();
+ msg.privileges_count = privileges_count;
+
+ ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+ waitPid(pid);
+ }
+ if(pid == 0)
+ {
+ FdUniquePtr pipeptr(pipefd);
+ close(pipefd[1]);
+
+ ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+ RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+ //become admin privacy manager manager
+ Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+ result = drop_root_privileges(msg.uid, msg.gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ // filter by privilege
+ std::vector<PolicyEntry> policyEntries;
+ PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
+ Api::getPolicy(filter, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
+
+ // filter by other privilege
+ policyEntries.clear();
+ PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
+ Api::getPolicy(filter2, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
+
+ // filter by appId
+ policyEntries.clear();
+ PolicyEntry filter3(PM_MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
+ Api::getPolicy(filter3, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
+ }
+}
projects / platform / core / test / security-tests.git / commitdiff