From: Zofia Grzelewska Date: Tue, 10 Dec 2019 14:11:27 +0000 (+0100) Subject: Fix shared_ro tests X-Git-Tag: security-manager_5.5_testing~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a6b64f524a564d9803bd508adae68dfa11464cd7;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git Fix shared_ro tests Properly setup application context, before checking access to sharedRO/nonSharedRO directories to apply mount namespaces. Change-Id: Ied891a1cad6ad82402a995f5fc210a23fa1c09d9 --- diff --git a/src/common/app_install_helper.cpp b/src/common/app_install_helper.cpp index 093da6b6..1f6e0e85 100644 --- a/src/common/app_install_helper.cpp +++ b/src/common/app_install_helper.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,6 +34,9 @@ #include "app_install_helper.h" namespace { + +const gid_t FILE_GROUP = 100; + std::string genSkelPath() { static std::string skelPkgDir; if (!skelPkgDir.empty()) @@ -94,6 +97,18 @@ void AppInstallHelper::setInstallPath(RootType type) const { case RootType::SKEL: info.path = genSkelPath() + "/" + getPkgId(); break; + case RootType::SHARED: + if (m_isLocal) + info.path = TzPlatformConfig::appDirPath(getUID()) + ".shared/" + getPkgId(); + else + info.path = TzPlatformConfig::globalAppDir() + "/.shared/" + getPkgId(); + break; + case RootType::SHARED_TMP: + if (m_isLocal) + info.path = TzPlatformConfig::appDirPath(getUID()) + ".shared_tmp/" + getPkgId(); + else + info.path = TzPlatformConfig::globalAppDir() + "/.shared_tmp/" + getPkgId(); + break; } } @@ -110,7 +125,7 @@ std::string AppInstallHelper::getPath(app_install_path_type smType, PathType pTy break; case PathType::FILE: // put files in the directory of the same type - path = getInstallDir(rType) + "/" + typeToPath.at(smType) + "_dir0/" + typeToPath.at(smType) + std::to_string(i); + path = getPath(smType, PathType::DIR, 0, rType) + "/" + typeToPath.at(smType) + std::to_string(i); break; } return path; @@ -137,7 +152,11 @@ std::string AppInstallHelper::getPrivatePath(int i, RootType type) const { } std::string AppInstallHelper::getSharedRODir(int i, RootType type) const { - return getPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::DIR, i, type); +return getPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::DIR, i, type); +} + +std::string AppInstallHelper::getSharedROPath(int i, RootType type) const { + return getPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::FILE, i, type); } std::string AppInstallHelper::getAppId() const { @@ -167,8 +186,8 @@ int AppInstallHelper::getGID() const { bool AppInstallHelper::createFile(app_install_path_type smType, const std::string &path) { if (creat(path.c_str(), 0751) == 0) { // Local paths need user change - m_fileTypeMap[smType].push_back(std::move(path)); - if (!m_isLocal || chown(path.c_str(), m_uidGid, m_uidGid) == 0) + m_fileTypeMap[smType].push_back(path); + if (!m_isLocal || chown(path.c_str(), m_uidGid, FILE_GROUP) == 0) return true; } return false; @@ -178,8 +197,8 @@ bool AppInstallHelper::createDir(app_install_path_type smType, const std::string mktreeSafe(path, 0777); // Dont pass base pkg dirs to SM, because transmute will be forced on RO subdirs if (!isBasePath) - m_dirTypeMap[smType].push_back(std::move(path)); - if (!m_isLocal || chown(path.c_str(), m_uidGid, m_uidGid) == 0) + m_dirTypeMap[smType].push_back(path); + if (!m_isLocal || chown(path.c_str(), m_uidGid, FILE_GROUP) == 0) return true; return false; @@ -202,12 +221,25 @@ void AppInstallHelper::createPath(app_install_path_type smType, PathType pType, createDir(smType, path); break; case PathType::FILE: - createPath(smType, PathType::DIR, i, rType); + createPath(smType, PathType::DIR, 0, rType); createFile(smType, path); break; } } +void AppInstallHelper::createDirLink(app_install_path_type smType, const std::string &dest, int i, + RootType rType) +{ + createInstallDir(rType); + std::string linkPath = getPath(smType, PathType::DIR, i, rType); + if (symlink(dest.c_str(), linkPath.c_str()) == 0) { + m_fileTypeMap[smType].push_back(linkPath); + if (m_isLocal) { + chown(linkPath.c_str(), m_uidGid, FILE_GROUP); + } + } +} + void AppInstallHelper::createTrustedDir(int i, RootType type) { createPath(SECURITY_MANAGER_PATH_TRUSTED_RW, PathType::DIR, i, type); } @@ -225,7 +257,14 @@ void AppInstallHelper::createPrivateFile(int i, RootType type) { } void AppInstallHelper::createSharedRODir(int i, RootType type) { - createPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::DIR, i, type); + createPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::DIR, i, RootType::SHARED); + createInstallDir(RootType::SHARED_TMP); + auto linkPath = getSharedRODir(i, RootType::SHARED); + createDirLink(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, linkPath, i, type); +} + +void AppInstallHelper::createSharedROFile(int i, RootType type) { + createPath(SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO, PathType::FILE, i, type); } void AppInstallHelper::createPrivateRODir(int i, RootType type) { diff --git a/src/common/app_install_helper.h b/src/common/app_install_helper.h index e2382610..cefeb711 100644 --- a/src/common/app_install_helper.h +++ b/src/common/app_install_helper.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -90,7 +90,9 @@ struct AppInstallHelper { enum RootType { BASE, SKEL, - EXTENDED + EXTENDED, + SHARED, + SHARED_TMP }; enum PathType { @@ -107,6 +109,7 @@ struct AppInstallHelper { void createPublicDir(RootType type = RootType::BASE); void createPrivateFile(int i = 0, RootType type = RootType::BASE); void createSharedRODir(int i = 0, RootType type = RootType::BASE); + void createSharedROFile(int i = 0, RootType type = RootType::BASE); void createPrivateRODir(int i = 0, RootType type = RootType::BASE); void removePaths(); @@ -121,6 +124,7 @@ struct AppInstallHelper { std::string getPublicDir(RootType type = RootType::BASE) const; std::string getPrivatePath(int i = 0, RootType type = RootType::BASE) const; std::string getSharedRODir(int i = 0, RootType type = RootType::BASE) const; + std::string getSharedROPath(int i = 0, RootType type = RootType::BASE) const; const TypePathsMap& getDirsMap() const; const TypePathsMap& getFilesMap() const; @@ -155,6 +159,8 @@ protected: bool createFile(app_install_path_type smType, const std::string &path); bool createDir(app_install_path_type smType, const std::string &path, bool isBasePath = false); + void createDirLink(app_install_path_type smType, const std::string &dest, int i = 0, + RootType rType = RootType::BASE); void createInstallDir(RootType type); std::string m_appName; diff --git a/src/common/label_generator.cpp b/src/common/label_generator.cpp index 6fc5140f..dbd00b54 100644 --- a/src/common/label_generator.cpp +++ b/src/common/label_generator.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2017-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -36,11 +36,6 @@ std::string generatePathROLabel(const std::string &pkgId) return generatePathRWLabel(pkgId) + "::RO"; } -std::string generatePathSharedROLabel(const std::string &pkgId) -{ - return generatePathRWLabel(pkgId) + "::SharedRO"; -} - std::string generatePathTrustedLabel(int64_t authorId) { return "User::Author::" + std::to_string(authorId); @@ -50,3 +45,8 @@ std::string getPublicPathLabel() { return "User::Home"; } + +std::string getSharedROPathLabel() +{ + return "User::App::Shared"; +} diff --git a/src/common/label_generator.h b/src/common/label_generator.h index 8c99ed42..b4af2913 100644 --- a/src/common/label_generator.h +++ b/src/common/label_generator.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2017-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,6 +20,6 @@ std::string generateProcessLabel(const std::string &appId, const std::string &pkgId, bool isHybrid = false); std::string generatePathRWLabel(const std::string &pkgId); std::string generatePathROLabel(const std::string &pkgId); -std::string generatePathSharedROLabel(const std::string &pkgId); std::string generatePathTrustedLabel(int64_t authorId); std::string getPublicPathLabel(); +std::string getSharedROPathLabel(); diff --git a/src/common/tests_common.h b/src/common/tests_common.h index 2eb4a009..bfb46d95 100644 --- a/src/common/tests_common.h +++ b/src/common/tests_common.h @@ -38,7 +38,7 @@ #include const uid_t APP_UID = 5001; -const gid_t APP_GID = 5001; +const gid_t APP_GID = 100; const uid_t APP_UID_2 = 5200; const gid_t APP_GID_2 = 5200; const uid_t DB_ALARM_UID = 6001; diff --git a/src/security-manager-tests/common/sm_commons.cpp b/src/security-manager-tests/common/sm_commons.cpp index e777272f..16db76c4 100644 --- a/src/security-manager-tests/common/sm_commons.cpp +++ b/src/security-manager-tests/common/sm_commons.cpp @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include @@ -50,12 +51,16 @@ #include "tzplatform.h" #include #include +#include using namespace SecurityManagerTest; #define CONF_DIR "/usr/share/security-manager/policy/" #define SMACK_RULES_PATH "/sys/fs/smackfs/load2" +#define ALLOW 0 +#define DENY -1 + // Common DB/nftw checks // nftw doesn't allow passing user data to functions. Work around by using global variable @@ -197,7 +202,7 @@ static void check_app_smack_accesses(const std::string &appId, const std::string const std::pair switchAliases[] = {std::make_pair("~PATH_RW~", generatePathRWLabel(pkgId)), std::make_pair("~PATH_RO~", generatePathROLabel(pkgId)), - std::make_pair("~PATH_SHARED_RO~", generatePathSharedROLabel(pkgId)), + std::make_pair("~PATH_SHARED_RO~", getSharedROPathLabel()), std::make_pair("~PROCESS~", generateProcessLabel(appId, pkgId, isHybrid))}; for (auto rule : rules[isHybrid]) { @@ -236,7 +241,6 @@ static void check_pkg_smack_rules_after_uninstall(const std::string &appId, cons const std::vector rules(std::move(parseSmackRulesFile(SMACK_RULES_PATH))); const std::string labels[] = {generatePathRWLabel(pkgId), generatePathROLabel(pkgId), - generatePathSharedROLabel(pkgId), generateProcessLabel(appId, pkgId, true), generateProcessLabel(appId, pkgId)}; for (const auto &rule : rules) { @@ -438,22 +442,30 @@ void accessCheck(const std::string &id, const std::string &path, int accessType, << " (" << accessTypeToString.at(accessType) << ")"); } +void accessTest(const std::string &id, const std::string &testPath, int accessType) { + int oppositeAccessType = getOppositeAccessType(accessType); + + if (accessType != 0) { + accessCheck(id, testPath, accessType, ALLOW); + } + if (oppositeAccessType != 0) { + static const std::vector singleAccessTypes = {R_OK, W_OK, X_OK}; + for (auto singleAccessType : singleAccessTypes) { + if (oppositeAccessType & singleAccessType) { + accessCheck(id, testPath, singleAccessType, DENY); + } + } + } +} + void runAccessTest(const std::string &label, uid_t uid, gid_t gid, const std::string &testPath, int accessType) { auto fun = [&](){ - int oppositeAccessType = getOppositeAccessType(accessType); ScopedProcessLabel spl(label, false); RUNNER_ASSERT_ERRNO_MSG(0 == drop_root_privileges(uid, gid), "drop_root_privileges failed."); - if (accessType != 0) - accessCheck(label, testPath, accessType, 0); - if (oppositeAccessType != 0) { - std::vector singleAccessTypes = {R_OK, W_OK, X_OK}; - for (auto singleAccessType : singleAccessTypes) - if (oppositeAccessType & singleAccessType) - accessCheck(label, testPath, singleAccessType, -1); - } + accessTest(label, testPath, accessType); }; runInChildParentWait(fun); @@ -461,18 +473,10 @@ void runAccessTest(const std::string &label, uid_t uid, gid_t gid, void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int accessType) { auto fun = [&](){ - int oppositeAccessType = getOppositeAccessType(accessType); Api::setProcessLabel(app.getAppId()); RUNNER_ASSERT_ERRNO_MSG(0 == drop_root_privileges(app.getUID(), app.getGID()), "drop_root_privileges failed."); - if (accessType != 0) - accessCheck(app.getAppId(), testPath, accessType, 0); - if (oppositeAccessType != 0) { - std::vector singleAccessTypes = {R_OK, W_OK, X_OK}; - for (auto singleAccessType : singleAccessTypes) - if (oppositeAccessType & singleAccessType) - accessCheck(app.getAppId(), testPath, singleAccessType, -1); - } + accessTest(app.getAppId(), testPath, accessType); }; runInChildParentWait(fun); @@ -512,3 +516,29 @@ int countPrivacyPrivileges(const std::vector &privs) { return std::count_if(privs.begin(), privs.end(), isPrivilegePrivacy); } +int setLauncherSecurityAttributes(uid_t uid, gid_t gid) +{ + // Add launcher capabilities (cap_dac_override, cap_setgid, cap_sys_admin, cap_mac_admin), + // launcher is user process, we must drop root privileges (cap_setgid, cap_setuid are needed). + // By default, the permitted capability set is cleared when credentials change is made + // (if a process drops a capability from its permitted set, it can never reacquire that capability), + // setting the "keep capabilities" flag prevents it from being cleared. + // Effective capability set is always cleared when credential change is made, we need to add them again. + + setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep cap_setuid+ep"); + int ret = prctl(PR_SET_KEEPCAPS, 1, 0, 0); + if (ret != 0) + return ret; + + ret = drop_root_privileges(uid, gid); + if (ret != 0) + return ret; + + setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep"); + return ret; +} +int setLauncherSecurityAttributes(TemporaryTestUser &user) +{ + return setLauncherSecurityAttributes(user.getUid(), user.getGid()); +} + diff --git a/src/security-manager-tests/common/sm_commons.h b/src/security-manager-tests/common/sm_commons.h index 3160e101..68402814 100644 --- a/src/security-manager-tests/common/sm_commons.h +++ b/src/security-manager-tests/common/sm_commons.h @@ -65,6 +65,7 @@ void check_exact_smack_accesses(const std::string &subject, CapsSetsUniquePtr setCaps(const char *cap_string); +void accessTest(const std::string &id, const std::string &testPath, int accessType); void runAccessTest(const std::string &label, uid_t uid, gid_t gid, const std::string &testPath, int accessType); void runAccessTest(const AppInstallHelper &app, const std::string &testPath, int accessType); @@ -74,3 +75,6 @@ bool isAskuserDisabled(); bool isPrivilegePrivacy(const std::string &priv); int countPrivacyPrivileges(const PrivilegeVector &privs); int countPrivacyPrivileges(const std::vector &privs); + +int setLauncherSecurityAttributes(uid_t uid, gid_t gid); +int setLauncherSecurityAttributes(TemporaryTestUser &user); diff --git a/src/security-manager-tests/test_cases.cpp b/src/security-manager-tests/test_cases.cpp index fcd798ec..8b7a7fce 100644 --- a/src/security-manager-tests/test_cases.cpp +++ b/src/security-manager-tests/test_cases.cpp @@ -139,7 +139,7 @@ RUNNER_TEST(security_manager_01d_app_install_complicated_dir_tree) check_path(privateDir, generatePathRWLabel(pkgId)); check_path(privateRODir, generatePathROLabel(pkgId), false); check_path(publicRODir, getPublicPathLabel()); - check_path(sharedRODir, generatePathSharedROLabel(pkgId)); + check_path(sharedRODir, getSharedROPathLabel()); } RUNNER_TEST(security_manager_02_app_install_uninstall_full) @@ -176,7 +176,7 @@ RUNNER_TEST(security_manager_02_app_install_uninstall_full) check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId())); check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false); check_path(app.getPublicDir(), getPublicPathLabel()); - check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId())); + check_path(app.getSharedRODir(), getSharedROPathLabel()); } check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivilegesNames()); diff --git a/src/security-manager-tests/test_cases_prepare_app.cpp b/src/security-manager-tests/test_cases_prepare_app.cpp index bcfe0716..ee386061 100644 --- a/src/security-manager-tests/test_cases_prepare_app.cpp +++ b/src/security-manager-tests/test_cases_prepare_app.cpp @@ -118,28 +118,6 @@ struct ThreadWrapper std::thread thread; }; -int setLauncherSecurityAttributes(TemporaryTestUser &user) -{ - // Add launcher capabilities (cap_dac_override, cap_setgid, cap_sys_admin, cap_mac_admin), - // launcher is user process, we must drop root privileges (cap_setgid, cap_setuid are needed). - // By default, the permitted capability set is cleared when credentials change is made - // (if a process drops a capability from its permitted set, it can never reacquire that capability), - // setting the "keep capabilities" flag prevents it from being cleared. - // Effective capability set is always cleared when credential change is made, we need to add them again. - - setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep cap_setuid+ep"); - int ret = prctl(PR_SET_KEEPCAPS, 1, 0, 0); - if (ret != 0) - return ret; - - ret = drop_root_privileges(user.getUid(), user.getGid()); - if (ret != 0) - return ret; - - setCaps("cap_dac_override+ep cap_setgid+ep cap_sys_admin+ep cap_mac_admin+ep"); - return ret; -} - ino_t getFileInode(const std::string &path) { struct stat st; diff --git a/src/security-manager-tests/test_cases_public_sharing.cpp b/src/security-manager-tests/test_cases_public_sharing.cpp index d882c0fa..b71ad041 100644 --- a/src/security-manager-tests/test_cases_public_sharing.cpp +++ b/src/security-manager-tests/test_cases_public_sharing.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -15,6 +15,7 @@ */ #include #include +#include #include #include #include @@ -32,6 +33,7 @@ using namespace SecurityManagerTest; namespace { const uid_t OWNER_UID = 5001; +const uid_t OWNER_GID = 100; const std::vector versions = { "2.4", @@ -54,6 +56,25 @@ const VersionCombinations versionCombinations = makeVersionCombinations(versions RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SHARED_RO) +static void runAccessTest(uid_t uid, gid_t gid, const std::string &appId, + std::function f) +{ + pid_t pid = fork(); + + RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed"); + if (pid == 0) { + setLauncherSecurityAttributes(uid, gid); + Api::prepareAppCandidate(); + Api::prepareApp(appId.c_str()); + f(); + exit(0); + } else { + + waitPid(pid); + Api::cleanupApp(appId.c_str(), uid, pid); + } +} + /** * Check whether owner app have access to own sharedRO dir */ @@ -64,10 +85,29 @@ RUNNER_CHILD_TEST(security_manager_76_owner_access) app.createSharedRODir(); ScopedInstaller sharedROPkgApp(app); - runAccessTest(app, app.getSharedRODir(), R_OK|W_OK|X_OK); + runAccessTest(OWNER_UID, OWNER_GID, app.getAppId(), [&]() { + accessTest(app.getAppId(), app.getSharedRODir(), R_OK|W_OK|X_OK); + }); } } +RUNNER_CHILD_TEST(security_manager_7x_test) +{ + AppInstallHelper ownerApp("owner_7x", OWNER_UID); + ownerApp.createSharedRODir(); + ScopedInstaller ownerAppInstall(ownerApp); + + AppInstallHelper otherApp("other_7x", OWNER_UID); + otherApp.createSharedRODir(); + ScopedInstaller otherAppInstall(otherApp); + + runAccessTest(OWNER_UID, OWNER_GID, ownerApp.getAppId(), [&]() { + accessTest(ownerApp.getAppId(), ownerApp.getSharedRODir(), R_OK | W_OK | X_OK); + accessTest(ownerApp.getAppId(), otherApp.getSharedRODir(), R_OK | X_OK); + exit(0); + }); +} + /** * Check whether app without shared RO path has access to shared RO dir and * no access to private directories of application from different package between @@ -84,9 +124,14 @@ RUNNER_CHILD_TEST(security_manager_77_owner_other_access_version_combinations) AppInstallHelper nonSharedApp("sm_test_77_nonshared", OWNER_UID, version.second); ScopedInstaller nonSharedAppInstall(nonSharedApp); - runAccessTest(sharedApp, sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); - runAccessTest(nonSharedApp, sharedApp.getPrivateDir(), 0); - runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), R_OK|X_OK); + runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() { + accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); + }); + + runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { + accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0); + accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK); + }); } } @@ -108,12 +153,17 @@ RUNNER_CHILD_TEST(security_manager_78_another_pkg_shared_ro_have_ro_access_to_sh sharedApp2.createPrivateDir(); ScopedInstaller sharedApp2Install(sharedApp2); - runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), R_OK|X_OK); - runAccessTest(sharedApp1, sharedApp2.getSharedRODir(), R_OK|X_OK); - runAccessTest(sharedApp1, sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK); - runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); - runAccessTest(sharedApp2, sharedApp1.getPrivateDir(), 0); - runAccessTest(sharedApp1, sharedApp2.getPrivateDir(), 0); + runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() { + accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK); + accessTest(sharedApp1.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK); + accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(), 0); + }); + + runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { + accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|X_OK); + accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); + accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(), 0); + }); } } @@ -134,9 +184,13 @@ RUNNER_CHILD_TEST(security_manager_79a_same_pkg_shared_ro_have_ro_access_to_shar sharedApp2.createSharedRODir(); ScopedInstaller sharedAppInstall2(sharedApp2); - runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK); - runAccessTest(sharedApp1, sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); - }; + runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() { + accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); + }); + runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { + accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK); + }); + } } /** @@ -155,7 +209,9 @@ RUNNER_CHILD_TEST(security_manager_79b_same_pkg_shared_ro_have_ro_access_to_shar AppInstallHelper nonSharedApp("sm_test_79b_shared2", sharedPkgName, OWNER_UID, version); ScopedInstaller nonSharedAppInstall(nonSharedApp); - runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); + runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { + accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); + }); }; } @@ -181,14 +237,23 @@ RUNNER_CHILD_TEST(security_manager_80_same_pkg_shared_ro_have_no_access_to_share AppInstallHelper nonSharedApp("sm_test_80_nonshared", sharedPkgName, OWNER_UID, version); ScopedInstaller nonSharedAppInstall(nonSharedApp); - runAccessTest(sharedApp2, sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK); - runAccessTest(sharedApp1, sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); - runAccessTest(nonSharedApp, sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK); - runAccessTest(nonSharedApp, sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); + runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() { + accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); + }); + runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { + accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK); + }); + + runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { + accessTest(nonSharedApp.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK); + accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); + }); sharedAppInstall1.uninstallApp(); - runAccessTest(nonSharedApp, sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); + runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { + accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK); + }); } } @@ -218,16 +283,22 @@ RUNNER_CHILD_TEST(security_manager_81_add_path_to_app_and_check_all) sharedRORequest.setUid(sharedApp2.getUID()); Api::registerPaths(sharedRORequest); - runAccessTest(sharedApp, sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); - runAccessTest(sharedApp, sharedApp.getPrivateDir(), R_OK|W_OK|X_OK); - - runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); - runAccessTest(sharedApp2, sharedApp.getSharedRODir(), R_OK|X_OK); - runAccessTest(sharedApp2, sharedApp.getPrivateDir(), 0); - - runAccessTest(nonSharedApp, sharedApp.getSharedRODir(), R_OK|X_OK); - runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(), R_OK|X_OK); - runAccessTest(nonSharedApp, sharedApp.getPrivateDir(), 0); + runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() { + accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK); + accessTest(sharedApp.getAppId(), sharedApp.getPrivateDir(), R_OK|W_OK|X_OK); + }); + + runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { + accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); + accessTest(sharedApp2.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK); + accessTest(sharedApp2.getAppId(), sharedApp.getPrivateDir(), 0); + }); + + runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { + accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK); + accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK); + accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0); + }); } } @@ -270,12 +341,17 @@ RUNNER_CHILD_TEST(security_manager_83_install_uninstall_shared_ro_app_and_check_ ScopedInstaller nonSharedAppInstall(nonSharedApp); sharedAppInstall1.uninstallApp(); + sharedApp1.removePaths(); - runAccessTest(nonSharedApp, sharedApp1.getSharedRODir(), 0); - runAccessTest(sharedApp2, sharedApp1.getSharedRODir(), 0); + runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { + accessTest(nonSharedApp.getAppId(), sharedApp1.getSharedRODir(), 0); + accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK); + }); - runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(), R_OK|X_OK); - runAccessTest(sharedApp2, sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); + runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { + accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), 0); + accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK); + }); } } @@ -302,7 +378,12 @@ RUNNER_CHILD_TEST(security_manager_84_install_uninstall_shared_ro_two_apps_in_on sharedAppInstall1.uninstallApp(); - runAccessTest(nonSharedApp, sharedApp2.getSharedRODir(2), R_OK|X_OK); - runAccessTest(sharedApp2, sharedApp2.getSharedRODir(2), R_OK|W_OK|X_OK); + runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() { + accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(2), R_OK|X_OK); + }); + + runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() { + accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(2), R_OK|W_OK|X_OK); + }); } } diff --git a/src/security-manager-tests/test_cases_register_paths.cpp b/src/security-manager-tests/test_cases_register_paths.cpp index ba37c8b3..26970c0d 100644 --- a/src/security-manager-tests/test_cases_register_paths.cpp +++ b/src/security-manager-tests/test_cases_register_paths.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -347,7 +347,7 @@ RUNNER_TEST(security_manager_66_path_req_check_labels) check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId())); check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false); check_path(app.getPublicDir(), getPublicPathLabel()); - check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId())); + check_path(app.getSharedRODir(), getSharedROPathLabel()); } RUNNER_TEST(security_manager_67_path_req_shared_ro_3_0) @@ -367,7 +367,7 @@ RUNNER_TEST(security_manager_67_path_req_shared_ro_3_0) preq.addPath(app.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO); Api::registerPaths(preq); - check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId())); + check_path(app.getSharedRODir(), getSharedROPathLabel()); } RUNNER_TEST(security_manager_68_path_req_shared_ro_2_X) @@ -387,7 +387,7 @@ RUNNER_TEST(security_manager_68_path_req_shared_ro_2_X) preq.addPath(app.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO); Api::registerPaths(preq); - check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId())); + check_path(app.getSharedRODir(), getSharedROPathLabel()); } RUNNER_TEST(security_manager_69_path_req_trusted_rw_no_author)