From: Zofia Abramowska Date: Wed, 24 Aug 2016 12:36:21 +0000 (+0200) Subject: SM: Code cleanup - separate private sharing tests X-Git-Tag: security-manager_5.5_testing~20^2~62 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=106e5e4b8ec49943f590111d3d22941656ba44bf;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git SM: Code cleanup - separate private sharing tests Change-Id: Ia212364bce408f433927161c6150a7bc22571cd0 --- diff --git a/src/security-manager-tests/CMakeLists.txt b/src/security-manager-tests/CMakeLists.txt index 505e3e1e..33c3dbba 100644 --- a/src/security-manager-tests/CMakeLists.txt +++ b/src/security-manager-tests/CMakeLists.txt @@ -40,6 +40,7 @@ SET(SEC_MGR_SOURCES ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_commons.cpp ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_file_operations.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases.cpp + ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_private_sharing.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_privacy_manager.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/security_manager_tests.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_api.cpp diff --git a/src/security-manager-tests/common/app_install_helper.h b/src/security-manager-tests/common/app_install_helper.h index 5a47e58e..0824bdbe 100644 --- a/src/security-manager-tests/common/app_install_helper.h +++ b/src/security-manager-tests/common/app_install_helper.h @@ -17,12 +17,12 @@ #include #include +#include #include #include #include -#include - +#include struct AppInstallHelper { AppInstallHelper(const std::string &name) diff --git a/src/security-manager-tests/common/sm_commons.cpp b/src/security-manager-tests/common/sm_commons.cpp index 86e02f1a..132d55ed 100644 --- a/src/security-manager-tests/common/sm_commons.cpp +++ b/src/security-manager-tests/common/sm_commons.cpp @@ -14,6 +14,7 @@ * limitations under the License. */ +#include #include #include #include @@ -366,6 +367,53 @@ void check_app_after_uninstall(const char *const app_id, const char *const pkg_i check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges); } +std::string access_opposite(std::string &access) { + static const std::map access_mapping = {{'r', 0}, {'w', 1}, {'x', 2}, {'a', 3}, + {'t', 4}, {'l', 5}}; + //May write implies may lock + if (access.find('w') != std::string::npos && access.find('l') == std::string::npos) { + access.append("l"); + } + std::string access_opposite = "rwxatl"; + for (char c : access) { + access_opposite[access_mapping.at(c)] = '-'; + } + auto it = std::remove_if(access_opposite.begin(), access_opposite.end(), [](char c) {return c == '-';}); + access_opposite.erase(it, access_opposite.end()); + return access_opposite; +} + +void check_exact_smack_accesses(const std::string &subject, const std::string &object, + const std::string &access) { + std::string access_str(access); + auto no_access = access_opposite(access_str); + for (char c : access_str) { + int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str()); + RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object + << ">, <" << c << "> errno=" << strerror(errno)); + RUNNER_ASSERT_MSG(ret == 1, "Access " << c << " from " << subject << " to " + << object << " not given"); + } + + for (char c : no_access) { + int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str()); + RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object + << ">, <" << c << "> errno=" << strerror(errno)); + RUNNER_ASSERT_MSG(ret == 0, "Access " << c << " from " << subject << " to " + << object << " unnecessarily given"); + } +} + +CapsSetsUniquePtr setCaps(const char *cap_string) +{ + CapsSetsUniquePtr caps(cap_init()); + caps.reset(cap_from_text(cap_string)); + RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text"); + int result = cap_set_proc(caps.get()); + RUNNER_ASSERT_MSG(result == 0, "can't set capabilities. Result: " << result); + return caps; +} + static void prepare_app_path(int app_num, bool others_enabled = false) { std::string SM_RW_PATH = genRWPath(app_num); @@ -397,16 +445,6 @@ void prepare_app_env(int app_num, bool others_enabled) prepare_app_path(app_num, others_enabled); } -CapsSetsUniquePtr setCaps(const char *cap_string) -{ - CapsSetsUniquePtr caps(cap_init()); - caps.reset(cap_from_text(cap_string)); - RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text"); - int result = cap_set_proc(caps.get()); - RUNNER_ASSERT_MSG(result == 0, "can't set capabilities. Result: " << result); - return caps; -} - void install_app(const char *app_id, const char *pkg_id, uid_t uid, app_install_type type, bool check_after) { diff --git a/src/security-manager-tests/common/sm_commons.h b/src/security-manager-tests/common/sm_commons.h index d137f844..b2296caf 100644 --- a/src/security-manager-tests/common/sm_commons.h +++ b/src/security-manager-tests/common/sm_commons.h @@ -69,6 +69,11 @@ void check_app_after_uninstall(const char *const app_id, const char *const pkg_i void check_app_after_uninstall(const char *const app_id, const char *const pkg_id, const privileges_t &privileges, const bool is_pkg_removed); +std::string access_opposite(std::string &access); +void check_exact_smack_accesses(const std::string &subject, + const std::string &object, + const std::string &access); + CapsSetsUniquePtr setCaps(const char *cap_string); void prepare_app_env(int app_num, bool others_enabled = false); void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0, diff --git a/src/security-manager-tests/security_manager_tests.cpp b/src/security-manager-tests/security_manager_tests.cpp index 6a1a7355..95e2dfdf 100644 --- a/src/security-manager-tests/security_manager_tests.cpp +++ b/src/security-manager-tests/security_manager_tests.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2016 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,12 +16,8 @@ #include #include -#include #include -#include -#include - #include #include #include @@ -30,44 +26,37 @@ #include #include #include -#include #include #include #include -#include #include #include #include #include #include -#include - -#include +#include #include +#include +#include +#include #include #include +#include #include -#include -#include +#include #include #include #include #include -#include #include -#include #include #include +#include #include #include -#include -#include -#include -#include -#include using namespace SecurityManagerTest; @@ -119,42 +108,7 @@ void check_exact_access(const std::string& subject, const std::string& object, c } } -std::string access_opposite(std::string &access) { - static const std::map access_mapping = {{'r', 0}, {'w', 1}, {'x', 2}, {'a', 3}, - {'t', 4}, {'l', 5}}; - //May write implies may lock - if (access.find('w') != std::string::npos && access.find('l') == std::string::npos) { - access.append("l"); - } - std::string access_opposite = "rwxatl"; - for (char c : access) { - access_opposite[access_mapping.at(c)] = '-'; - } - auto it = std::remove_if(access_opposite.begin(), access_opposite.end(), [](char c) {return c == '-';}); - access_opposite.erase(it, access_opposite.end()); - return access_opposite; -} - -void check_exact_smack_accesses(const std::string &subject, const std::string &object, const std::string &access) { - std::string access_str(access); - auto no_access = access_opposite(access_str); - for (char c : access_str) { - int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str()); - RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object << ">, <" << c << "> errno=" << strerror(errno)); - RUNNER_ASSERT_MSG(ret == 1, "Access " << c << " from " << subject << " to " - << object << " not given"); - } - - for (char c : no_access) { - int ret = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str()); - RUNNER_ASSERT_MSG(ret >= 0, "smack_have_access failed: <" << subject << ">, <" << object << ">, <" << c << "> errno=" << strerror(errno)); - RUNNER_ASSERT_MSG(ret == 0, "Access " << c << " from " << subject << " to " - << object << " unnecessarily given"); - } -} - - - +RUNNER_TEST_GROUP_INIT(SECRUTIY_MANAGER_POLICY) RUNNER_TEST(security_manager_18_user_cynara_policy) { @@ -182,95 +136,6 @@ RUNNER_TEST(security_manager_18_user_cynara_policy) admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS); } -RUNNER_TEST(security_manager_19_security_manager_cmd_install) -{ - int ret; - const int SUCCESS = 0; - const int FAILURE = 256; - const std::string app_id = "security_manager_10_app"; - const std::string pkg_id = "security_manager_10_pkg"; - const std::string username("sm_test_10_user_name"); - std::string uid_string; - TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); - user.create(); - user.getUidString(uid_string); - const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1"; - const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2"; - const std::string pkgopt = " --pkg=" + pkg_id; - const std::string appopt = " --app=" + app_id; - const std::string uidopt = " --uid=" + uid_string; - - mktreeSafe(path1.c_str(), 0); - mktreeSafe(path2.c_str(), 0); - - const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt; - - struct operation { - std::string command; - int expected_result; - }; - std::vector operations = { - {"security-manager-cmd", FAILURE},//no option - {"security-manager-cmd --blah", FAILURE},//blah option is not known - {"security-manager-cmd --help", SUCCESS}, - {"security-manager-cmd --install", FAILURE},//no params - {"security-manager-cmd -i", FAILURE},//no params - {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid - {installcmd, SUCCESS}, - {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS}, - {installcmd + " --path " + path1 + " rw", SUCCESS}, - {installcmd + " --path " + path1, FAILURE},//no path type - {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS}, - {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type - {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS}, - }; - - for (auto &op : operations) { - ret = system((op.command + " 1>/dev/null 2>&1").c_str()); - RUNNER_ASSERT_MSG(ret == op.expected_result, - "Unexpected result for command '" << op.command <<"': " - << ret << " Expected was: "<< op.expected_result); - } -} - -RUNNER_TEST(security_manager_20_security_manager_cmd_users) -{ - int ret; - const int SUCCESS = 0; - const int FAILURE = 256; - const std::string username("sm_test_11_user_name"); - std::string uid_string; - TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); - user.create(); - user.getUidString(uid_string); - const std::string uidopt = " --uid=" + uid_string; - - struct operation { - std::string command; - int expected_result; - }; - std::vector operations = { - {"security-manager-cmd --manage-users=remove", FAILURE},//no params - {"security-manager-cmd -m", FAILURE},//no params - {"security-manager-cmd -mr", FAILURE},//no uid - {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid - {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj? - {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf? - {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed - {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah - {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added - {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added - {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added - }; - - for (auto &op : operations) { - ret = system((op.command + " 1>/dev/null 2>&1").c_str()); - RUNNER_ASSERT_MSG(ret == op.expected_result, - "Unexpected result for command '" << op.command <<"': " - << ret << " Expected was: "<< op.expected_result); - } -} - RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv) { const int BUFFER_SIZE = 128; @@ -374,6 +239,98 @@ RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv) } } + +RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD) + +RUNNER_TEST(security_manager_19_security_manager_cmd_install) +{ + int ret; + const int SUCCESS = 0; + const int FAILURE = 256; + const std::string app_id = "security_manager_10_app"; + const std::string pkg_id = "security_manager_10_pkg"; + const std::string username("sm_test_10_user_name"); + std::string uid_string; + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + user.getUidString(uid_string); + const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1"; + const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2"; + const std::string pkgopt = " --pkg=" + pkg_id; + const std::string appopt = " --app=" + app_id; + const std::string uidopt = " --uid=" + uid_string; + + mktreeSafe(path1.c_str(), 0); + mktreeSafe(path2.c_str(), 0); + + const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt; + + struct operation { + std::string command; + int expected_result; + }; + std::vector operations = { + {"security-manager-cmd", FAILURE},//no option + {"security-manager-cmd --blah", FAILURE},//blah option is not known + {"security-manager-cmd --help", SUCCESS}, + {"security-manager-cmd --install", FAILURE},//no params + {"security-manager-cmd -i", FAILURE},//no params + {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid + {installcmd, SUCCESS}, + {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS}, + {installcmd + " --path " + path1 + " rw", SUCCESS}, + {installcmd + " --path " + path1, FAILURE},//no path type + {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS}, + {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type + {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS}, + }; + + for (auto &op : operations) { + ret = system((op.command + " 1>/dev/null 2>&1").c_str()); + RUNNER_ASSERT_MSG(ret == op.expected_result, + "Unexpected result for command '" << op.command <<"': " + << ret << " Expected was: "<< op.expected_result); + } +} + +RUNNER_TEST(security_manager_20_security_manager_cmd_users) +{ + int ret; + const int SUCCESS = 0; + const int FAILURE = 256; + const std::string username("sm_test_11_user_name"); + std::string uid_string; + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + user.getUidString(uid_string); + const std::string uidopt = " --uid=" + uid_string; + + struct operation { + std::string command; + int expected_result; + }; + std::vector operations = { + {"security-manager-cmd --manage-users=remove", FAILURE},//no params + {"security-manager-cmd -m", FAILURE},//no params + {"security-manager-cmd -mr", FAILURE},//no uid + {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid + {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj? + {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf? + {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed + {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah + {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added + {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added + {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added + }; + + for (auto &op : operations) { + ret = system((op.command + " 1>/dev/null 2>&1").c_str()); + RUNNER_ASSERT_MSG(ret == op.expected_result, + "Unexpected result for command '" << op.command <<"': " + << ret << " Expected was: "<< op.expected_result); + } +} + void setupPrivilegeGroups(const privileges_t &privileges, const std::vector &groups) { TestSecurityManagerDatabase db; @@ -402,6 +359,8 @@ std::vector readPrivilegeGroups() return groups; } +RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS) + RUNNER_TEST(security_manager_22_groups_get) { setupPrivilegeGroups(SM_ALLOWED_PRIVILEGES, SM_ALLOWED_GROUPS); @@ -654,1067 +613,6 @@ RUNNER_TEST(security_manager_27p_API30_app_uninstall) }; } -namespace { -const char *const owner_access = "rwxat"; -const char *const target_path_access = "rxl"; -const char *const target_dir_access = "x"; -const char *const no_access = ""; - -void check_system_access(const std::string pathLabel, bool apply = true) { - check_exact_smack_accesses("User", pathLabel, (apply ? owner_access : no_access)); - check_exact_smack_accesses("System", pathLabel, (apply ? owner_access : no_access)); -} - -void check_owner_access(const std::string &ownerLabel, const std::string &pathLabel, bool apply = true) { - check_exact_smack_accesses(ownerLabel, pathLabel, (apply ? owner_access : no_access)); -} - -void check_target_access(const std::string &ownerPkgLabel, const std::string &targetLabel, - const std::string &pathLabel, bool pathShared = true, bool anyPathShared = true) { - check_exact_smack_accesses(targetLabel, pathLabel, (pathShared ? target_path_access : no_access)); - check_exact_smack_accesses(targetLabel, ownerPkgLabel, (anyPathShared ? target_dir_access : no_access)); -} - -void check_path_label(const std::string &path, const std::string &expectedLabel) { - char *label = nullptr; - int ret = smack_new_label_from_path(path.c_str(), XATTR_NAME_SMACK, 0, &label); - RUNNER_ASSERT_MSG(ret > 0, "smack_new_label_from_path failed for " << path); - SmackLabelPtr realLabel(label); - RUNNER_ASSERT_MSG(realLabel.get() == expectedLabel, "Fetched label from " << path << " different" - " than expected, is : " << realLabel.get() << " should be " << expectedLabel); -} - -void createFile(const std::string &filePath) -{ - //create temporary file and set label for it - mode_t systemMask; - - unlink(filePath.c_str()); - //allow to create file with 777 rights - systemMask = umask(0000); - int fd = open(filePath.c_str(), O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO); - //restore system mask - umask(systemMask); - RUNNER_ASSERT_ERRNO_MSG(fd > -1, "Unable to create file for tests"); - - //for descriptor protection - FdUniquePtr fd_ptr(&fd); - - //change owner and group to user APP - int ret = chown(filePath.c_str(), APP_UID, APP_GID); - RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Unable to change file owner"); -} - -} - -RUNNER_TEST_GROUP_INIT(SECURIT_MANAGER_PRIVATE_SHARING) - -RUNNER_TEST(security_manager_30a_send_incomplete_req1) -{ - SharingRequest request; - Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); - request.setOwnerAppId("someOwner"); - Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); - request.setTargetAppId("someTarget"); - Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); -} - -RUNNER_TEST(security_manager_30b_send_incomplete_req2) -{ - SharingRequest request; - request.setTargetAppId("someTarget"); - Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); - request.setOwnerAppId("someOwner"); - Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); -} - -RUNNER_TEST(security_manager_30c_send_incomplete_req3) -{ - SharingRequest request; - const char *somePaths[] = {"path1", "path2"}; - request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0])); - Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); - request.setOwnerAppId("someOwner"); - Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); -} - -RUNNER_TEST(security_manager_30d_unknown_owner) -{ - // This test depends on order of checks in security-manager service implementation - SharingRequest request; - request.setOwnerAppId("ImPrettySureIDontExist"); - request.setTargetAppId("IDontMatter"); - const char *somePaths[] = {"path1", "path2"}; - request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0])); - Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN); -} - -struct PathInfo { - const std::string &path; - app_install_path_type path_type; -}; - -static InstallRequest createInstallReq(const std::string &appName, const std::string &pkgName, - const std::vector &paths){ - InstallRequest req; - req.setAppId(appName); - req.setPkgId(pkgName); - for (const auto &pathInfo : paths) { - req.addPath(pathInfo.path, pathInfo.path_type); - } - return req; -} - -static InstallRequest createInstallReq(const AppInstallHelper &info, - const std::vector &paths = std::vector()){ - return createInstallReq(info.getAppId(), info.getPkgId(), paths); -} - -static void clearLabels(const std::string &path) { - int result = nftw(path.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); - RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << path); -} - - -RUNNER_TEST(security_manager_30e_unknown_target) -{ - // This test depends on order of checks in security-manager service implementation - AppInstallHelper owner("installedApp"); - owner.revokeRules(); - owner.createInstallDir(); - InstallRequest ownerInst; - ownerInst.setAppId(owner.getAppId()); - ownerInst.setPkgId(owner.getPkgId()); - Api::install(ownerInst); - - SharingRequest request; - request.setOwnerAppId(owner.getAppId()); - request.setTargetAppId("NowImPrettySureIDontExist"); - const char *somePaths[] = {"path1", "path2"}; - request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0])); - Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - - Api::uninstall(ownerInst); -} - -RUNNER_TEST(security_manager_30f_bad_paths) -{ - // This test depends on order of checks in security-manager service implementation - AppInstallHelper owner("installedApp"); - owner.revokeRules(); - owner.createInstallDir(); - InstallRequest ownerInst = createInstallReq(owner); - Api::install(ownerInst); - - AppInstallHelper target("secondInstalledApp"); - target.revokeRules(); - target.createInstallDir(); - InstallRequest targetInst = createInstallReq(target); - Api::install(targetInst); - - SharingRequest request; - request.setOwnerAppId(owner.getAppId()); - request.setTargetAppId(target.getAppId()); - - const char *somePath = "/tmp/somePath"; - createFile(somePath); - const char *somePaths[] = {somePath}; - request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0])); - Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER); - - Api::uninstall(ownerInst); - Api::uninstall(targetInst); -} - -RUNNER_TEST(security_manager_31_simple_share) -{ - std::vector helper {{"app31a"}, {"app31b"}}; - auto &owner = helper[0]; - auto &target = helper[1]; - - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - Api::dropSharing(share1); - check_system_access(pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - check_path_label(sharedPath, owner.generatePkgLabel()); - - Api::uninstall(ownerReq); - Api::uninstall(targetReq); -} - -RUNNER_TEST(security_manager_32_double_share) -{ - std::vector helper {{"app32a"}, {"app32b"}}; - auto &owner = helper[0]; - auto &target = helper[1]; - - // cleanup - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(0); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::applySharing(share1); - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::dropSharing(share1); - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::dropSharing(share1); - check_system_access(pathLabel, false); - check_owner_access(owner.generateAppLabel(), pathLabel, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel, false, false); - check_path_label(sharedPath, owner.generatePkgLabel()); - - Api::uninstall(ownerReq); - Api::uninstall(targetReq); -} -RUNNER_TEST(security_manager_33_share_two_with_one) -{ - std::vector helper {{"app33a"}, {"app33b"}}; - auto &owner = helper[0]; - auto &target = helper[1]; - - // cleanup - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - owner.createPrivateDir(); - owner.createSharedFile(0); - owner.createSharedFile(1); - clearLabels(owner.getInstallDir()); - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW}, - PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1, share2; - std::string sharedPath1 = owner.getSharedPath(0); - std::string sharedPath2 = owner.getSharedPath(1); - share1.setOwnerAppId(owner.getAppId()); - share2.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - share2.setTargetAppId(target.getAppId()); - const char *path1[] = {sharedPath1.c_str()}; - const char *path2[] = {sharedPath2.c_str()}; - share1.addPaths(path1, 1); - share2.addPaths(path2, 1); - - Api::applySharing(share1); - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath1.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath1, pathLabel1); - - Api::applySharing(share2); - std::string pathLabel2 = db.get_path_label(sharedPath2.c_str()); - RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2); - RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for private shared paths should be unique!"); - - check_system_access(pathLabel1); - check_system_access(pathLabel2); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel2); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2); - check_path_label(sharedPath1, pathLabel1); - check_path_label(sharedPath2, pathLabel2); - - Api::dropSharing(share1); - check_system_access(pathLabel1, false); - check_system_access(pathLabel2); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2); - check_path_label(sharedPath1, owner.generatePkgLabel()); - check_path_label(sharedPath2, pathLabel2); - - Api::dropSharing(share2); - check_system_access(pathLabel1, false); - check_system_access(pathLabel2, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel2, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2, false, false); - check_path_label(sharedPath1, owner.generatePkgLabel()); - check_path_label(sharedPath2, owner.generatePkgLabel()); - - Api::uninstall(ownerReq); - Api::uninstall(targetReq); -} - -RUNNER_TEST(security_manager_34_share_one_with_two) -{ - std::vector helper {{"app34a"}, {"app34b"}, {"app34c"}}; - auto &owner = helper[0]; - auto &target1 = helper[1]; - auto &target2 = helper[2]; - - // cleanup - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - for (size_t i = 1; i < helper.size(); i++) { - InstallRequest targetReq = createInstallReq(helper[i]); - Api::install(targetReq); - } - - SharingRequest share1, share2; - std::string sharedPath = owner.getSharedPath(0).c_str(); - share1.setOwnerAppId(owner.getAppId()); - share2.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target1.getAppId()); - share2.setTargetAppId(target2.getAppId()); - - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - share2.addPaths(path, 1); - - Api::applySharing(share1); - TestSecurityManagerDatabase db; - std::string pathLabel = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::applySharing(share2); - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::dropSharing(share1); - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::dropSharing(share2); - check_system_access(pathLabel, false); - check_owner_access(owner.generateAppLabel(), pathLabel, false); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false); - check_path_label(sharedPath, owner.generatePkgLabel()); - - Api::uninstall(ownerReq); - for (size_t i = 1; i < helper.size(); i++) { - InstallRequest targetReq = createInstallReq(helper[i]); - Api::uninstall(targetReq); - } -} - -RUNNER_TEST(security_manager_35_share_two_with_two) -{ - std::vector helper {{"app35a"}, {"app35b"}, {"app35c"}}; - auto &owner = helper[0]; - auto &target1 = helper[1]; - auto &target2 = helper[2]; - - // cleanup - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - owner.createPrivateDir(); - owner.createSharedFile(0); - owner.createSharedFile(1); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW}, - PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}}); - - Api::install(ownerReq); - - for (size_t i = 1; i < helper.size(); i++) { - InstallRequest targetReq = createInstallReq(helper[i]); - Api::install(targetReq); - } - - SharingRequest share1, share2; - std::string sharedPath1 = owner.getSharedPath(0).c_str(); - std::string sharedPath2 = owner.getSharedPath(1).c_str(); - share1.setOwnerAppId(owner.getAppId()); - share2.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target1.getAppId()); - share2.setTargetAppId(target2.getAppId()); - - const char *path1[] = {sharedPath1.c_str()}; - const char *path2[] = {sharedPath2.c_str()}; - share1.addPaths(path1, 1); - share2.addPaths(path2, 1); - - Api::applySharing(share1); - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath1.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1); - check_path_label(sharedPath1, pathLabel1); - - Api::applySharing(share2); - std::string pathLabel2 = db.get_path_label(sharedPath2.c_str()); - RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2); - RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for shared files should be unique!"); - - check_system_access(pathLabel1); - check_system_access(pathLabel2); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel2); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2); - check_path_label(sharedPath1, pathLabel1); - check_path_label(sharedPath2, pathLabel2); - - Api::dropSharing(share2); - check_system_access(pathLabel1); - check_system_access(pathLabel2, false); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel2, false); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false); - check_path_label(sharedPath1, pathLabel1); - check_path_label(sharedPath2, owner.generatePkgLabel()); - - Api::dropSharing(share1); - check_system_access(pathLabel1, false); - check_system_access(pathLabel2, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel2, false); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1, false, false); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false); - check_path_label(sharedPath1, owner.generatePkgLabel()); - check_path_label(sharedPath2, owner.generatePkgLabel()); - Api::uninstall(ownerReq); - for (size_t i = 1; i < helper.size(); i++) { - InstallRequest targetReq; - targetReq.setAppId(helper[i].getAppId()); - targetReq.setPkgId(helper[i].getAppId()); - Api::uninstall(targetReq); - } -} - -RUNNER_TEST(security_manager_35_share_uninstall_target) { - std::vector helper {{"app35aa"}, {"app35bb"}}; - auto &owner = helper[0]; - auto &target = helper[1]; - - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - Api::uninstall(targetReq); - - check_system_access(pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - check_path_label(sharedPath, owner.generatePkgLabel()); - - Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - Api::uninstall(ownerReq); -} - -RUNNER_TEST(security_manager_35_share_uninstall_owner) { - std::vector helper {{"app35aaa"}, {"app35bbb"}}; - auto &owner = helper[0]; - auto &target = helper[1]; - - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - - owner.createPrivateDir(); - owner.createSharedFile(); - - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - owner.removePaths(); - Api::uninstall(ownerReq); - - check_system_access(pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - - Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - Api::uninstall(targetReq); -} - -RUNNER_TEST(security_manager_36_share_pkg_owner_uninstall) { - std::vector helper {{"app36a", "pkg1"}, {"app36b", "pkg1"}, {"app36c", "pkg2"}}; - auto &owner = helper[0]; - auto &pkgApp = helper[1]; - auto &target = helper[2]; - - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest pkgAppReq = createInstallReq(pkgApp); - Api::install(pkgAppReq); - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - owner.removePaths(); - Api::uninstall(ownerReq); - - check_system_access(pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - - Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - Api::uninstall(pkgAppReq); - Api::uninstall(targetReq); -} - -RUNNER_TEST(security_manager_36_share_pkg_owner_drop) { - std::vector helper {{"app36aa", "pkg1"}, {"app36bb", "pkg1"}, {"app36cc", "pkg2"}}; - auto &owner = helper[0]; - auto &pkgApp = helper[1]; - auto &target = helper[2]; - - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest pkgAppReq = createInstallReq(pkgApp); - Api::install(pkgAppReq); - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - Api::dropSharing(share1); - - check_system_access(pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - check_path_label(sharedPath, owner.generatePkgLabel()); - - Api::uninstall(ownerReq); - Api::uninstall(pkgAppReq); - Api::uninstall(targetReq); -} - -RUNNER_TEST(security_manager_36_share_pkg_target_uninstall) { - std::vector helper {{"app36aaa", "pkg1"}, {"app36bbb", "pkg1"}, {"app36ccc", "pkg2"}}; - auto &owner = helper[0]; - auto &pkgApp = helper[1]; - auto &target = helper[2]; - - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest pkgAppReq = createInstallReq(pkgApp); - Api::install(pkgAppReq); - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - Api::uninstall(targetReq); - - check_system_access(pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - check_path_label(sharedPath, owner.generatePkgLabel()); - - Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - - Api::uninstall(ownerReq); - Api::uninstall(pkgAppReq); -} - -RUNNER_TEST(security_manager_37_pkg_double_share_target_uninstall) { - std::vector helper {{"app37a", "pkg1"}, {"app37b", "pkg1"}, {"app37c", "pkg2"}}; - auto &owner = helper[0]; - auto &pkgApp = helper[1]; - auto &target = helper[2]; - - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest pkgAppReq = createInstallReq(pkgApp); - Api::install(pkgAppReq); - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - Api::applySharing(share1); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - Api::uninstall(targetReq); - - check_system_access(pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - check_path_label(sharedPath, owner.generatePkgLabel()); - - Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - - Api::uninstall(ownerReq); - Api::uninstall(pkgAppReq); -} - -RUNNER_TEST(security_manager_37_pkg_double_share_owner_uninstall) { - std::vector helper {{"app37aa", "pkg1"}, {"app37bb", "pkg1"}, {"app37cc", "pkg2"}}; - auto &owner = helper[0]; - auto &pkgApp = helper[1]; - auto &target = helper[2]; - - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - InstallRequest pkgAppReq = createInstallReq(pkgApp); - Api::install(pkgAppReq); - InstallRequest targetReq = createInstallReq(target); - Api::install(targetReq); - - SharingRequest share1; - std::string sharedPath = owner.getSharedPath(); - share1.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target.getAppId()); - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - Api::applySharing(share1); - - TestSecurityManagerDatabase db; - std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - Api::applySharing(share1); - - check_system_access(pathLabel1); - check_owner_access(owner.generateAppLabel(), pathLabel1); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); - check_path_label(sharedPath, pathLabel1); - - owner.removePaths(); - Api::uninstall(ownerReq); - - check_system_access(pathLabel1, false); - check_owner_access(owner.generateAppLabel(), pathLabel1, false); - check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); - check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); - - Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - - Api::uninstall(targetReq); - Api::uninstall(pkgAppReq); -} - -RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_target) -{ - std::vector helper {{"app38a"}, {"app38b"}, {"app38c"}}; - auto &owner = helper[0]; - auto &target1 = helper[1]; - auto &target2 = helper[2]; - - // cleanup - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - - InstallRequest targetReq1 = createInstallReq(target1); - Api::install(targetReq1); - InstallRequest targetReq2 = createInstallReq(target2); - Api::install(targetReq2); - - SharingRequest share1, share2; - std::string sharedPath = owner.getSharedPath(0).c_str(); - share1.setOwnerAppId(owner.getAppId()); - share2.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target1.getAppId()); - share2.setTargetAppId(target2.getAppId()); - - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - share2.addPaths(path, 1); - - Api::applySharing(share1); - TestSecurityManagerDatabase db; - std::string pathLabel = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::applySharing(share2); - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::uninstall(targetReq1); - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::dropSharing(share2); - check_system_access(pathLabel, false); - check_owner_access(owner.generateAppLabel(), pathLabel, false); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false); - check_path_label(sharedPath, owner.generatePkgLabel()); - - Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - Api::uninstall(ownerReq); - Api::uninstall(targetReq2); -} - -RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_owner) -{ - std::vector helper {{"app38aa"}, {"app38bb"}, {"app38cc"}}; - auto &owner = helper[0]; - auto &target1 = helper[1]; - auto &target2 = helper[2]; - - // cleanup - for (auto &e : helper) { - e.revokeRules(); - e.createInstallDir(); - } - owner.createPrivateDir(); - owner.createSharedFile(); - clearLabels(owner.getInstallDir()); - - InstallRequest ownerReq = createInstallReq(owner, - {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); - Api::install(ownerReq); - - - InstallRequest targetReq1 = createInstallReq(target1); - Api::install(targetReq1); - InstallRequest targetReq2 = createInstallReq(target2); - Api::install(targetReq2); - - SharingRequest share1, share2; - std::string sharedPath = owner.getSharedPath(0).c_str(); - share1.setOwnerAppId(owner.getAppId()); - share2.setOwnerAppId(owner.getAppId()); - share1.setTargetAppId(target1.getAppId()); - share2.setTargetAppId(target2.getAppId()); - - const char *path[] = {sharedPath.c_str()}; - share1.addPaths(path, 1); - share2.addPaths(path, 1); - - Api::applySharing(share1); - TestSecurityManagerDatabase db; - std::string pathLabel = db.get_path_label(sharedPath.c_str()); - RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath); - - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - Api::applySharing(share2); - check_system_access(pathLabel); - check_owner_access(owner.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); - check_path_label(sharedPath, pathLabel); - - owner.removePaths(); - Api::uninstall(ownerReq); - check_system_access(pathLabel, false); - check_owner_access(owner.generateAppLabel(), pathLabel,false); - check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); - check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false); - - Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - Api::dropSharing(share2, SECURITY_MANAGER_ERROR_APP_UNKNOWN); - Api::uninstall(targetReq1); - Api::uninstall(targetReq2); -} RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING) @@ -2979,8 +1877,6 @@ static UidGidMsg readCreds(int pipefd0) return msg; } - - static void testSetLabelForSelf(const char *app_id, bool expected_success) { std::string label = generateAppLabel(app_id); diff --git a/src/security-manager-tests/test_cases_private_sharing.cpp b/src/security-manager-tests/test_cases_private_sharing.cpp new file mode 100644 index 00000000..89328b96 --- /dev/null +++ b/src/security-manager-tests/test_cases_private_sharing.cpp @@ -0,0 +1,1097 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// This has to be before xattr header, because it uses size_t and ssize_t and does not include this +// I hate you, xattr +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +using namespace SecurityManagerTest; +namespace { +const char *const owner_access = "rwxat"; +const char *const target_path_access = "rxl"; +const char *const target_dir_access = "x"; +const char *const no_access = ""; + +void check_system_access(const std::string pathLabel, bool apply = true) { + check_exact_smack_accesses("User", pathLabel, (apply ? owner_access : no_access)); + check_exact_smack_accesses("System", pathLabel, (apply ? owner_access : no_access)); +} + +void check_owner_access(const std::string &ownerLabel, const std::string &pathLabel, bool apply = true) { + check_exact_smack_accesses(ownerLabel, pathLabel, (apply ? owner_access : no_access)); +} + +void check_target_access(const std::string &ownerPkgLabel, const std::string &targetLabel, + const std::string &pathLabel, bool pathShared = true, bool anyPathShared = true) { + check_exact_smack_accesses(targetLabel, pathLabel, (pathShared ? target_path_access : no_access)); + check_exact_smack_accesses(targetLabel, ownerPkgLabel, (anyPathShared ? target_dir_access : no_access)); +} + +void check_path_label(const std::string &path, const std::string &expectedLabel) { + char *label = nullptr; + int ret = smack_new_label_from_path(path.c_str(), XATTR_NAME_SMACK, 0, &label); + RUNNER_ASSERT_MSG(ret > 0, "smack_new_label_from_path failed for " << path); + SmackLabelPtr realLabel(label); + RUNNER_ASSERT_MSG(realLabel.get() == expectedLabel, "Fetched label from " << path << " different" + " than expected, is : " << realLabel.get() << " should be " << expectedLabel); +} + +void createFile(const std::string &filePath) +{ + //create temporary file and set label for it + mode_t systemMask; + + unlink(filePath.c_str()); + //allow to create file with 777 rights + systemMask = umask(0000); + int fd = open(filePath.c_str(), O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO); + //restore system mask + umask(systemMask); + RUNNER_ASSERT_ERRNO_MSG(fd > -1, "Unable to create file for tests"); + + //for descriptor protection + FdUniquePtr fd_ptr(&fd); + + //change owner and group to user APP + int ret = chown(filePath.c_str(), APP_UID, APP_GID); + RUNNER_ASSERT_ERRNO_MSG(ret == 0, "Unable to change file owner"); +} + +struct PathInfo { + const std::string &path; + app_install_path_type path_type; +}; + +InstallRequest createInstallReq(const std::string &appName, const std::string &pkgName, + const std::vector &paths){ + InstallRequest req; + req.setAppId(appName); + req.setPkgId(pkgName); + for (const auto &pathInfo : paths) { + req.addPath(pathInfo.path, pathInfo.path_type); + } + return req; +} + +InstallRequest createInstallReq(const AppInstallHelper &info, + const std::vector &paths = std::vector()){ + return createInstallReq(info.getAppId(), info.getPkgId(), paths); +} + +void clearLabels(const std::string &path) { + int result = nftw(path.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS); + RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << path); +} + +} + +RUNNER_TEST_GROUP_INIT(SECURIT_MANAGER_PRIVATE_SHARING) + +RUNNER_TEST(security_manager_30a_send_incomplete_req1) +{ + SharingRequest request; + Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); + request.setOwnerAppId("someOwner"); + Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); + request.setTargetAppId("someTarget"); + Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); +} + +RUNNER_TEST(security_manager_30b_send_incomplete_req2) +{ + SharingRequest request; + request.setTargetAppId("someTarget"); + Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); + request.setOwnerAppId("someOwner"); + Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); +} + +RUNNER_TEST(security_manager_30c_send_incomplete_req3) +{ + SharingRequest request; + const char *somePaths[] = {"path1", "path2"}; + request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0])); + Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); + request.setOwnerAppId("someOwner"); + Api::applySharing(request, SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE); +} + +RUNNER_TEST(security_manager_30d_unknown_owner) +{ + // This test depends on order of checks in security-manager service implementation + SharingRequest request; + request.setOwnerAppId("ImPrettySureIDontExist"); + request.setTargetAppId("IDontMatter"); + const char *somePaths[] = {"path1", "path2"}; + request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0])); + Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN); +} + +RUNNER_TEST(security_manager_30e_unknown_target) +{ + // This test depends on order of checks in security-manager service implementation + AppInstallHelper owner("installedApp"); + owner.revokeRules(); + owner.createInstallDir(); + InstallRequest ownerInst; + ownerInst.setAppId(owner.getAppId()); + ownerInst.setPkgId(owner.getPkgId()); + Api::install(ownerInst); + + SharingRequest request; + request.setOwnerAppId(owner.getAppId()); + request.setTargetAppId("NowImPrettySureIDontExist"); + const char *somePaths[] = {"path1", "path2"}; + request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0])); + Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + + Api::uninstall(ownerInst); +} + +RUNNER_TEST(security_manager_30f_bad_paths) +{ + // This test depends on order of checks in security-manager service implementation + AppInstallHelper owner("installedApp"); + owner.revokeRules(); + owner.createInstallDir(); + InstallRequest ownerInst = createInstallReq(owner); + Api::install(ownerInst); + + AppInstallHelper target("secondInstalledApp"); + target.revokeRules(); + target.createInstallDir(); + InstallRequest targetInst = createInstallReq(target); + Api::install(targetInst); + + SharingRequest request; + request.setOwnerAppId(owner.getAppId()); + request.setTargetAppId(target.getAppId()); + + const char *somePath = "/tmp/somePath"; + createFile(somePath); + const char *somePaths[] = {somePath}; + request.addPaths(somePaths, sizeof(somePaths)/sizeof(somePaths[0])); + Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER); + + Api::uninstall(ownerInst); + Api::uninstall(targetInst); +} + +RUNNER_TEST(security_manager_31_simple_share) +{ + std::vector helper {{"app31a"}, {"app31b"}}; + auto &owner = helper[0]; + auto &target = helper[1]; + + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + Api::dropSharing(share1); + check_system_access(pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + check_path_label(sharedPath, owner.generatePkgLabel()); + + Api::uninstall(ownerReq); + Api::uninstall(targetReq); +} + +RUNNER_TEST(security_manager_32_double_share) +{ + std::vector helper {{"app32a"}, {"app32b"}}; + auto &owner = helper[0]; + auto &target = helper[1]; + + // cleanup + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(0); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::applySharing(share1); + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::dropSharing(share1); + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::dropSharing(share1); + check_system_access(pathLabel, false); + check_owner_access(owner.generateAppLabel(), pathLabel, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel, false, false); + check_path_label(sharedPath, owner.generatePkgLabel()); + + Api::uninstall(ownerReq); + Api::uninstall(targetReq); +} +RUNNER_TEST(security_manager_33_share_two_with_one) +{ + std::vector helper {{"app33a"}, {"app33b"}}; + auto &owner = helper[0]; + auto &target = helper[1]; + + // cleanup + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + owner.createPrivateDir(); + owner.createSharedFile(0); + owner.createSharedFile(1); + clearLabels(owner.getInstallDir()); + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW}, + PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1, share2; + std::string sharedPath1 = owner.getSharedPath(0); + std::string sharedPath2 = owner.getSharedPath(1); + share1.setOwnerAppId(owner.getAppId()); + share2.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + share2.setTargetAppId(target.getAppId()); + const char *path1[] = {sharedPath1.c_str()}; + const char *path2[] = {sharedPath2.c_str()}; + share1.addPaths(path1, 1); + share2.addPaths(path2, 1); + + Api::applySharing(share1); + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath1.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath1, pathLabel1); + + Api::applySharing(share2); + std::string pathLabel2 = db.get_path_label(sharedPath2.c_str()); + RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2); + RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for private shared paths should be unique!"); + + check_system_access(pathLabel1); + check_system_access(pathLabel2); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel2); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2); + check_path_label(sharedPath1, pathLabel1); + check_path_label(sharedPath2, pathLabel2); + + Api::dropSharing(share1); + check_system_access(pathLabel1, false); + check_system_access(pathLabel2); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2); + check_path_label(sharedPath1, owner.generatePkgLabel()); + check_path_label(sharedPath2, pathLabel2); + + Api::dropSharing(share2); + check_system_access(pathLabel1, false); + check_system_access(pathLabel2, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel2, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel2, false, false); + check_path_label(sharedPath1, owner.generatePkgLabel()); + check_path_label(sharedPath2, owner.generatePkgLabel()); + + Api::uninstall(ownerReq); + Api::uninstall(targetReq); +} + +RUNNER_TEST(security_manager_34_share_one_with_two) +{ + std::vector helper {{"app34a"}, {"app34b"}, {"app34c"}}; + auto &owner = helper[0]; + auto &target1 = helper[1]; + auto &target2 = helper[2]; + + // cleanup + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + for (size_t i = 1; i < helper.size(); i++) { + InstallRequest targetReq = createInstallReq(helper[i]); + Api::install(targetReq); + } + + SharingRequest share1, share2; + std::string sharedPath = owner.getSharedPath(0).c_str(); + share1.setOwnerAppId(owner.getAppId()); + share2.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target1.getAppId()); + share2.setTargetAppId(target2.getAppId()); + + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + share2.addPaths(path, 1); + + Api::applySharing(share1); + TestSecurityManagerDatabase db; + std::string pathLabel = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::applySharing(share2); + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::dropSharing(share1); + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::dropSharing(share2); + check_system_access(pathLabel, false); + check_owner_access(owner.generateAppLabel(), pathLabel, false); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false); + check_path_label(sharedPath, owner.generatePkgLabel()); + + Api::uninstall(ownerReq); + for (size_t i = 1; i < helper.size(); i++) { + InstallRequest targetReq = createInstallReq(helper[i]); + Api::uninstall(targetReq); + } +} + +RUNNER_TEST(security_manager_35_share_two_with_two) +{ + std::vector helper {{"app35a"}, {"app35b"}, {"app35c"}}; + auto &owner = helper[0]; + auto &target1 = helper[1]; + auto &target2 = helper[2]; + + // cleanup + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + owner.createPrivateDir(); + owner.createSharedFile(0); + owner.createSharedFile(1); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW}, + PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}}); + + Api::install(ownerReq); + + for (size_t i = 1; i < helper.size(); i++) { + InstallRequest targetReq = createInstallReq(helper[i]); + Api::install(targetReq); + } + + SharingRequest share1, share2; + std::string sharedPath1 = owner.getSharedPath(0).c_str(); + std::string sharedPath2 = owner.getSharedPath(1).c_str(); + share1.setOwnerAppId(owner.getAppId()); + share2.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target1.getAppId()); + share2.setTargetAppId(target2.getAppId()); + + const char *path1[] = {sharedPath1.c_str()}; + const char *path2[] = {sharedPath2.c_str()}; + share1.addPaths(path1, 1); + share2.addPaths(path2, 1); + + Api::applySharing(share1); + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath1.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath1); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1); + check_path_label(sharedPath1, pathLabel1); + + Api::applySharing(share2); + std::string pathLabel2 = db.get_path_label(sharedPath2.c_str()); + RUNNER_ASSERT_MSG(!pathLabel2.empty(), "Couldn't fetch path label from database for file " << sharedPath2); + RUNNER_ASSERT_MSG(pathLabel1 != pathLabel2, "Labels for shared files should be unique!"); + + check_system_access(pathLabel1); + check_system_access(pathLabel2); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel2); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2); + check_path_label(sharedPath1, pathLabel1); + check_path_label(sharedPath2, pathLabel2); + + Api::dropSharing(share2); + check_system_access(pathLabel1); + check_system_access(pathLabel2, false); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel2, false); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false); + check_path_label(sharedPath1, pathLabel1); + check_path_label(sharedPath2, owner.generatePkgLabel()); + + Api::dropSharing(share1); + check_system_access(pathLabel1, false); + check_system_access(pathLabel2, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel2, false); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel1, false, false); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel2, false, false); + check_path_label(sharedPath1, owner.generatePkgLabel()); + check_path_label(sharedPath2, owner.generatePkgLabel()); + Api::uninstall(ownerReq); + for (size_t i = 1; i < helper.size(); i++) { + InstallRequest targetReq; + targetReq.setAppId(helper[i].getAppId()); + targetReq.setPkgId(helper[i].getAppId()); + Api::uninstall(targetReq); + } +} + +RUNNER_TEST(security_manager_35_share_uninstall_target) { + std::vector helper {{"app35aa"}, {"app35bb"}}; + auto &owner = helper[0]; + auto &target = helper[1]; + + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + Api::uninstall(targetReq); + + check_system_access(pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + check_path_label(sharedPath, owner.generatePkgLabel()); + + Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + Api::uninstall(ownerReq); +} + +RUNNER_TEST(security_manager_35_share_uninstall_owner) { + std::vector helper {{"app35aaa"}, {"app35bbb"}}; + auto &owner = helper[0]; + auto &target = helper[1]; + + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + + owner.createPrivateDir(); + owner.createSharedFile(); + + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + owner.removePaths(); + Api::uninstall(ownerReq); + + check_system_access(pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + + Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + Api::uninstall(targetReq); +} + +RUNNER_TEST(security_manager_36_share_pkg_owner_uninstall) { + std::vector helper {{"app36a", "pkg1"}, {"app36b", "pkg1"}, {"app36c", "pkg2"}}; + auto &owner = helper[0]; + auto &pkgApp = helper[1]; + auto &target = helper[2]; + + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest pkgAppReq = createInstallReq(pkgApp); + Api::install(pkgAppReq); + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + owner.removePaths(); + Api::uninstall(ownerReq); + + check_system_access(pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + + Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + Api::uninstall(pkgAppReq); + Api::uninstall(targetReq); +} + +RUNNER_TEST(security_manager_36_share_pkg_owner_drop) { + std::vector helper {{"app36aa", "pkg1"}, {"app36bb", "pkg1"}, {"app36cc", "pkg2"}}; + auto &owner = helper[0]; + auto &pkgApp = helper[1]; + auto &target = helper[2]; + + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest pkgAppReq = createInstallReq(pkgApp); + Api::install(pkgAppReq); + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + Api::dropSharing(share1); + + check_system_access(pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + check_path_label(sharedPath, owner.generatePkgLabel()); + + Api::uninstall(ownerReq); + Api::uninstall(pkgAppReq); + Api::uninstall(targetReq); +} + +RUNNER_TEST(security_manager_36_share_pkg_target_uninstall) { + std::vector helper {{"app36aaa", "pkg1"}, {"app36bbb", "pkg1"}, {"app36ccc", "pkg2"}}; + auto &owner = helper[0]; + auto &pkgApp = helper[1]; + auto &target = helper[2]; + + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest pkgAppReq = createInstallReq(pkgApp); + Api::install(pkgAppReq); + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + Api::uninstall(targetReq); + + check_system_access(pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + check_path_label(sharedPath, owner.generatePkgLabel()); + + Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + + Api::uninstall(ownerReq); + Api::uninstall(pkgAppReq); +} + +RUNNER_TEST(security_manager_37_pkg_double_share_target_uninstall) { + std::vector helper {{"app37a", "pkg1"}, {"app37b", "pkg1"}, {"app37c", "pkg2"}}; + auto &owner = helper[0]; + auto &pkgApp = helper[1]; + auto &target = helper[2]; + + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest pkgAppReq = createInstallReq(pkgApp); + Api::install(pkgAppReq); + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + Api::applySharing(share1); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + Api::uninstall(targetReq); + + check_system_access(pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + check_path_label(sharedPath, owner.generatePkgLabel()); + + Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + + Api::uninstall(ownerReq); + Api::uninstall(pkgAppReq); +} + +RUNNER_TEST(security_manager_37_pkg_double_share_owner_uninstall) { + std::vector helper {{"app37aa", "pkg1"}, {"app37bb", "pkg1"}, {"app37cc", "pkg2"}}; + auto &owner = helper[0]; + auto &pkgApp = helper[1]; + auto &target = helper[2]; + + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + InstallRequest pkgAppReq = createInstallReq(pkgApp); + Api::install(pkgAppReq); + InstallRequest targetReq = createInstallReq(target); + Api::install(targetReq); + + SharingRequest share1; + std::string sharedPath = owner.getSharedPath(); + share1.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target.getAppId()); + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + Api::applySharing(share1); + + TestSecurityManagerDatabase db; + std::string pathLabel1 = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + Api::applySharing(share1); + + check_system_access(pathLabel1); + check_owner_access(owner.generateAppLabel(), pathLabel1); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1); + check_path_label(sharedPath, pathLabel1); + + owner.removePaths(); + Api::uninstall(ownerReq); + + check_system_access(pathLabel1, false); + check_owner_access(owner.generateAppLabel(), pathLabel1, false); + check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false); + check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false); + + Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + + Api::uninstall(targetReq); + Api::uninstall(pkgAppReq); +} + +RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_target) +{ + std::vector helper {{"app38a"}, {"app38b"}, {"app38c"}}; + auto &owner = helper[0]; + auto &target1 = helper[1]; + auto &target2 = helper[2]; + + // cleanup + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + + InstallRequest targetReq1 = createInstallReq(target1); + Api::install(targetReq1); + InstallRequest targetReq2 = createInstallReq(target2); + Api::install(targetReq2); + + SharingRequest share1, share2; + std::string sharedPath = owner.getSharedPath(0).c_str(); + share1.setOwnerAppId(owner.getAppId()); + share2.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target1.getAppId()); + share2.setTargetAppId(target2.getAppId()); + + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + share2.addPaths(path, 1); + + Api::applySharing(share1); + TestSecurityManagerDatabase db; + std::string pathLabel = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::applySharing(share2); + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::uninstall(targetReq1); + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::dropSharing(share2); + check_system_access(pathLabel, false); + check_owner_access(owner.generateAppLabel(), pathLabel, false); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false); + check_path_label(sharedPath, owner.generatePkgLabel()); + + Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + Api::uninstall(ownerReq); + Api::uninstall(targetReq2); +} + +RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_owner) +{ + std::vector helper {{"app38aa"}, {"app38bb"}, {"app38cc"}}; + auto &owner = helper[0]; + auto &target1 = helper[1]; + auto &target2 = helper[2]; + + // cleanup + for (auto &e : helper) { + e.revokeRules(); + e.createInstallDir(); + } + owner.createPrivateDir(); + owner.createSharedFile(); + clearLabels(owner.getInstallDir()); + + InstallRequest ownerReq = createInstallReq(owner, + {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}}); + Api::install(ownerReq); + + + InstallRequest targetReq1 = createInstallReq(target1); + Api::install(targetReq1); + InstallRequest targetReq2 = createInstallReq(target2); + Api::install(targetReq2); + + SharingRequest share1, share2; + std::string sharedPath = owner.getSharedPath(0).c_str(); + share1.setOwnerAppId(owner.getAppId()); + share2.setOwnerAppId(owner.getAppId()); + share1.setTargetAppId(target1.getAppId()); + share2.setTargetAppId(target2.getAppId()); + + const char *path[] = {sharedPath.c_str()}; + share1.addPaths(path, 1); + share2.addPaths(path, 1); + + Api::applySharing(share1); + TestSecurityManagerDatabase db; + std::string pathLabel = db.get_path_label(sharedPath.c_str()); + RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath); + + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + Api::applySharing(share2); + check_system_access(pathLabel); + check_owner_access(owner.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel); + check_path_label(sharedPath, pathLabel); + + owner.removePaths(); + Api::uninstall(ownerReq); + check_system_access(pathLabel, false); + check_owner_access(owner.generateAppLabel(), pathLabel,false); + check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false); + check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false); + + Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + Api::dropSharing(share2, SECURITY_MANAGER_ERROR_APP_UNKNOWN); + Api::uninstall(targetReq1); + Api::uninstall(targetReq2); +}