From: Zofia Abramowska Date: Tue, 23 Aug 2016 14:51:11 +0000 (+0200) Subject: SM: Code cleanup - separate privacy manager tests X-Git-Tag: security-manager_5.5_testing~20^2~63 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F90%2F85290%2F1;p=platform%2Fcore%2Ftest%2Fsecurity-tests.git SM: Code cleanup - separate privacy manager tests Change-Id: Ie5767a10b54e08846f1633de095003b50b7806c8 --- diff --git a/src/common/passwd_access.h b/src/common/passwd_access.h index 74d1f0d..e053959 100644 --- a/src/common/passwd_access.h +++ b/src/common/passwd_access.h @@ -28,7 +28,7 @@ namespace PasswdAccess { uid_t uid(const std::string &username); - void allUser(const std::string &username, uid_t &uid, gid_t &gid) { + void allUser(const std::string &username, uid_t &uid, gid_t &gid); gid_t gid(const std::string &groupname); } // namespace PasswdAccess diff --git a/src/security-manager-tests/CMakeLists.txt b/src/security-manager-tests/CMakeLists.txt index 94b1263..505e3e1 100644 --- a/src/security-manager-tests/CMakeLists.txt +++ b/src/security-manager-tests/CMakeLists.txt @@ -40,6 +40,7 @@ SET(SEC_MGR_SOURCES ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_commons.cpp ${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_file_operations.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases.cpp + ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_privacy_manager.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/security_manager_tests.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_api.cpp ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_commons.cpp diff --git a/src/security-manager-tests/common/sm_commons.cpp b/src/security-manager-tests/common/sm_commons.cpp index bec220d..86e02f1 100644 --- a/src/security-manager-tests/common/sm_commons.cpp +++ b/src/security-manager-tests/common/sm_commons.cpp @@ -422,7 +422,6 @@ void install_app(const char *app_id, const char *pkg_id, uid_t uid, app_install_ check_app_after_install(app_id, pkg_id); } - void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed, app_install_type type, bool check_after) { diff --git a/src/security-manager-tests/common/sm_commons.h b/src/security-manager-tests/common/sm_commons.h index a3c7b1d..d137f84 100644 --- a/src/security-manager-tests/common/sm_commons.h +++ b/src/security-manager-tests/common/sm_commons.h @@ -30,13 +30,17 @@ DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr); +struct app_attributes { + std::string package; + std::string Tizen_ver; +}; + const int FTW_MAX_FDS = 16; extern const privileges_t SM_ALLOWED_PRIVILEGES; extern const privileges_t SM_DENIED_PRIVILEGES; extern const privileges_t SM_NO_PRIVILEGES; extern const std::vector SM_ALLOWED_GROUPS; - static const char *const SM_RW_PATH = "/opt/usr/apps/sm_test_02_pkg_id_full/app_dir"; const std::string uidToStr(const uid_t uid); diff --git a/src/security-manager-tests/security_manager_tests.cpp b/src/security-manager-tests/security_manager_tests.cpp index e19e337..6a1a735 100644 --- a/src/security-manager-tests/security_manager_tests.cpp +++ b/src/security-manager-tests/security_manager_tests.cpp @@ -80,75 +80,14 @@ void changeSecurityContext(const std::string& label, uid_t uid, gid_t gid) RUNNER_ASSERT_ERRNO_MSG(0 == setuid(uid), "Error in setuid."); } - static const char *const SM_TRUSTED_PATH = "/opt/usr/apps/sm_test_02_pkg_id_full/app_dir_trusted"; - -static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager"; -static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager"; -static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist"; -static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement"; - -static const std::vector MANY_APPS = { - "security_manager_10_app_1", - "security_manager_10_app_2", - "security_manager_10_app_3", - "security_manager_10_app_4", - "security_manager_10_app_5" -}; - -struct app_attributes { - std::string package; - std::string Tizen_ver; -}; static const std::map MANY_APPS_PKGS = { {"security_manager_10_app_1", {"security_manager_10_pkg_1", "2.1"}}, {"security_manager_10_app_2", {"security_manager_10_pkg_2", "3.0"}}, {"security_manager_10_app_3", {"security_manager_10_pkg_3", "2.1.1"}}, {"security_manager_10_app_4", {"security_manager_10_pkg_4", "3.1"}}, - {"security_manager_10_app_5", {"security_manager_10_pkg_5", "2.2"}}, - {PRIVILEGE_MANAGER_APP, {PRIVILEGE_MANAGER_PKG, "3.0"}} -}; - -static const std::vector MANY_APPS_PRIVILEGES = { - { - "http://tizen.org/privilege/internet", - "http://tizen.org/privilege/display" - }, - { - "http://tizen.org/privilege/telephony", - "http://tizen.org/privilege/datasharing" - }, - { - "http://tizen.org/privilege/content.write", - "http://tizen.org/privilege/led", - "http://tizen.org/privilege/email" - }, - { - "http://tizen.org/privilege/led", - "http://tizen.org/privilege/email", - "http://tizen.org/privilege/telephony", - "http://tizen.org/privilege/datasharing" - }, - { - "http://tizen.org/privilege/internet", - "http://tizen.org/privilege/display", - "http://tizen.org/privilege/led", - "http://tizen.org/privilege/email" - } -}; - -static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false) -{ - InstallRequest request; - request.setAppId(PRIVILEGE_MANAGER_APP.c_str()); - request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str()); - request.setUid(uid); - request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str()); - if (forAdmin) - request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str()); - Api::install(request); - Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + {"security_manager_10_app_5", {"security_manager_10_pkg_5", "2.2"}} }; void check_exact_access(const std::string& subject, const std::string& object, const std::string& access) @@ -214,1112 +153,8 @@ void check_exact_smack_accesses(const std::string &subject, const std::string &o } } -RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self) -{ - //TEST DATA - const std::string username("sm_test_10_user_name"); - unsigned int privileges_count = 0; - - std::map>> users2AppsMap; - std::map> apps2PrivsMap; - - for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { - apps2PrivsMap.insert(std::pair>( - MANY_APPS.at(i), std::set( - MANY_APPS_PRIVILEGES.at(i).begin(), - MANY_APPS_PRIVILEGES.at(i).end()))); - privileges_count+=MANY_APPS_PRIVILEGES.at(i).size(); - }; - - apps2PrivsMap.insert(std::pair>( - PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); - ++privileges_count; - users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); - //TEST DATA END - - SynchronizationPipe pipe; - pid_t pid = fork(); - - if (pid != 0) { //parent process - pipe.claimParentEp(); - TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false); - tmpUser.create(); - - for(const auto &user : users2AppsMap) { - - for(const auto &app : user.second) { - InstallRequest requestInst; - requestInst.setAppId(app.first.c_str()); - try { - requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str()); - } catch (const std::out_of_range &e) { - RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); - }; - requestInst.setUid(tmpUser.getUid()); - - for (const auto &privilege : app.second) { - requestInst.addPrivilege(privilege.c_str()); - }; - - Api::install(requestInst); - }; - - //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str()); - }; - - //Start child process - pipe.post(); - waitPid(pid); - - tmpUser.remove(); - } else { //child process - pipe.claimChildEp(); - pipe.wait(); - - uid_t uid; gid_t gid; - PasswdAccess::allUser(username, uid, gid); - std::string uidStr = std::to_string(uid); - register_current_process_as_privilege_manager(uid); - int result = drop_root_privileges(uid, gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - std::vector policyEntries; - PolicyEntry filter; - Api::getPolicy(filter, policyEntries); - - RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); - RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); - - for (const auto &policyEntry : policyEntries) { - std::string user = policyEntry.getUser(); - std::string app = policyEntry.getAppId(); - std::string privilege = policyEntry.getPrivilege(); - - RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user); - - try { - std::set::iterator tmp = users2AppsMap.at(username).at(app).find(privilege); - if (tmp == users2AppsMap.at(username).at(app).end()) - RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); - } catch (const std::out_of_range &e) { - RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what()); - }; - }; - exit(0); - }; -} - -RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged) -{ - //TEST DATA - const std::vector usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"}; - unsigned int privileges_count = 0; - - std::map>> users2AppsMap; - std::map> apps2PrivsMap; - - for (const auto &username : usernames) { - //Only entries for one of the users will be listed - privileges_count = 0; - - for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { - apps2PrivsMap.insert(std::pair>( - MANY_APPS.at(i), std::set( - MANY_APPS_PRIVILEGES.at(i).begin(), - MANY_APPS_PRIVILEGES.at(i).end()))); - privileges_count+=MANY_APPS_PRIVILEGES.at(i).size(); - }; - - users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); - }; - - users2AppsMap.at(usernames.at(0)).insert(std::pair>( - PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); - - ++privileges_count; - //TEST DATA END - - SynchronizationPipe pipe; - pid_t pid = fork(); - - if (pid != 0) { //parent process - pipe.claimParentEp(); - std::vector users = { - TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), - TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) - }; - - users.at(0).create(); - users.at(1).create(); - - //Install apps for both users - for(const auto &user : users) { - for(const auto &app : users2AppsMap.at(user.getUserName())) { - InstallRequest requestInst; - requestInst.setAppId(app.first.c_str()); - try { - requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str()); - } catch (const std::out_of_range &e) { - RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); - }; - requestInst.setUid(user.getUid()); - - for (const auto &privilege : app.second) { - requestInst.addPrivilege(privilege.c_str()); - }; - - Api::install(requestInst); - }; - - //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str()); - }; - - //Start child - pipe.post(); - waitPid(pid); - - for (auto &user : users) - user.remove(); - - } else { //child process - pipe.claimChildEp(); - pipe.wait(); - - uid_t uid; gid_t gid; - PasswdAccess::allUser(usernames.at(0), uid, gid); - std::string uidStr = std::to_string(uid); - register_current_process_as_privilege_manager(uid); - - //change uid to normal user - errno = 0; - int result = drop_root_privileges(uid, gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - std::vector policyEntries; - PolicyEntry filter; - - //this call should only return privileges belonging to the current uid - Api::getPolicy(filter, policyEntries); - - RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); - RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); - - for (const auto &policyEntry : policyEntries) { - std::string user = policyEntry.getUser(); - std::string app = policyEntry.getAppId(); - std::string privilege = policyEntry.getPrivilege(); - - RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user); - - try { - std::set::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege); - if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end()) - RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); - } catch (const std::out_of_range &e) { - RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what()); - }; - }; - exit(0); - }; -} - -RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged) -{ - std::vector oldPolicyVec; - Api::getPolicy(PolicyEntry(), oldPolicyVec); - std::unordered_set oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end()); - - //TEST DATA - const std::vector usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"}; - unsigned int privileges_count = oldPolicyVec.size(); - - std::map>> users2AppsMap; - std::map> apps2PrivsMap; - - for (const auto &username : usernames) { - for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { - apps2PrivsMap.insert(std::pair>( - MANY_APPS.at(i), std::set( - MANY_APPS_PRIVILEGES.at(i).begin(), - MANY_APPS_PRIVILEGES.at(i).end()))); - privileges_count+=MANY_APPS_PRIVILEGES.at(i).size(); - }; - - users2AppsMap.insert(std::make_pair(username, apps2PrivsMap)); - }; - - users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP, - std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE})); - - privileges_count += 2; - //TEST DATA END - - SynchronizationPipe pipe; - pid_t pid = fork(); - - if (pid != 0) { //parent process - pipe.claimParentEp(); - std::vector users = { - TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), - TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) - }; - - users.at(0).create(); - users.at(1).create(); - //Install apps for both users - for(const auto &user : users) { - for(const auto &app : users2AppsMap.at(user.getUserName())) { - InstallRequest requestInst; - requestInst.setAppId(app.first.c_str()); - try { - requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str()); - } catch (const std::out_of_range &e) { - RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); - }; - requestInst.setUid(user.getUid()); - - for (const auto &privilege : app.second) { - requestInst.addPrivilege(privilege.c_str()); - }; - - Api::install(requestInst); - }; - - //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str()); - }; - - //Start child process - pipe.post(); - waitPid(pid); - - for (auto &user : users) - user.remove(); - - } else { //child process - pipe.claimChildEp(); - pipe.wait(); - - uid_t normalUid; - gid_t normalGid; - PasswdAccess::allUser(usernames.at(1), normalUid, normalUid); - std::string normalUidStr = std::to_string(normalUid); - uid_t adminUid = PasswdAccess::uid(usernames.at(0)); - std::string adminUidStr = std::to_string(adminUid); - register_current_process_as_privilege_manager(normalUid, true); - - //change uid to normal user - int result = drop_root_privileges(normalUid, normalGid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - - std::vector policyEntries; - //this call should succeed as the calling user is privileged - Api::getPolicy(PolicyEntry(), policyEntries); - - RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); - RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); - - for (const auto &policyEntry : policyEntries) { - if (oldPolicySet.count(policyEntry)) - continue; - - std::string user = policyEntry.getUser(); - std::string app = policyEntry.getAppId(); - std::string privilege = policyEntry.getPrivilege(); - - RUNNER_ASSERT_MSG(user == normalUid || user == adminUid, "Unexpected user: " << user); - - std::string uidStrToLook = user == normalUid ? usernames.at(0) : usernames.at(1); - - try { - std::set::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege); - if (tmp == users2AppsMap.at(uidStrToLook).at(app).end()) - RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); - } catch (const std::out_of_range &e) { - RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what()); - } catch (const std::invalid_argument& e) { - RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what()); - }; - }; - - exit(0); - }; -} - -RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged) -{ - //TEST DATA - const std::vector usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"}; - - std::map>> users2AppsMap; - std::map> apps2PrivsMap; - - for (const auto &username : usernames) { - - for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { - apps2PrivsMap.insert(std::pair>( - MANY_APPS.at(i), std::set( - MANY_APPS_PRIVILEGES.at(i).begin(), - MANY_APPS_PRIVILEGES.at(i).end()))); - }; - - users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); - }; - - users2AppsMap.at(usernames.at(1)).insert(std::pair>( - PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); - - //TEST DATA END - - pid_t pid[2]; - SynchronizationPipe sync[2]; - std::vector policyEntries; - - pid[0] = fork(); - - if (pid[0] == 0) { //child #1 process - sync[0].claimChildEp(); - sync[0].wait(); - - uid_t uid; gid_t gid; - PasswdAccess::allUser(usernames.at(0), uid, gid); - register_current_process_as_privilege_manager(uid); - - //change uid to normal user - int result = drop_root_privileges(uid, gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - PolicyEntry filter; - PolicyRequest policyRequest; - - PolicyEntry policyEntry( - MANY_APPS[0], - std::to_string(uid), - "http://tizen.org/privilege/internet" - ); - policyEntry.setLevel("Deny"); - - policyRequest.addEntry(policyEntry); - policyEntry = PolicyEntry( - MANY_APPS[1], - std::to_string(uid), - "http://tizen.org/privilege/display" - ); - policyEntry.setLevel("Deny"); - - policyRequest.addEntry(policyEntry); - Api::sendPolicy(policyRequest); - - exit(0); - } else { //parent process - sync[0].claimParentEp(); - pid[1] = fork(); - - if (pid[1] == 0) { //child #2 process - sync[1].claimChildEp(); - sync[1].wait(); - - uid_t target_uid = PasswdAccess::uid(usernames.at(0)); - uid_t my_uid; - gid_t my_gid; - PasswdAccess::allUser(usernames.at(1), my_uid, my_gid); - - register_current_process_as_privilege_manager(my_uid); - - //change uid to normal user - int result = drop_root_privileges(my_uid, my_gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - PolicyEntry filter = PolicyEntry( - SECURITY_MANAGER_ANY, - std::to_string(target_uid), - SECURITY_MANAGER_ANY - ); - - //U2 requests contents of U1 privacy manager - should fail - Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); - RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size()); - - filter = PolicyEntry( - SECURITY_MANAGER_ANY, - SECURITY_MANAGER_ANY, - SECURITY_MANAGER_ANY - ); - - policyEntries.clear(); - - //U2 requests contents of ADMIN bucket - should fail - Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); - RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size()); - exit(0); - } else { //parent - sync[1].claimParentEp(); - std::vector users = { - TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), - TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false) - }; - - users.at(0).create(); - users.at(1).create(); - - //Install apps for both users - for(const auto &user : users2AppsMap) { - - for(const auto &app : user.second) { - InstallRequest requestInst; - requestInst.setAppId(app.first.c_str()); - try { - requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str()); - } catch (const std::out_of_range &e) { - RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); - }; - requestInst.setUid(users.at(0).getUid()); - - for (const auto &privilege : app.second) { - requestInst.addPrivilege(privilege.c_str()); - }; - - Api::install(requestInst); - }; - - //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str()); - }; - - //Start child #1 - sync[0].post(); - waitPid(pid[0]); - - //Start child #2 - sync[1].post(); - waitPid(pid[1]); - - for (auto &user : users) - user.remove(); - }; - }; -} - -RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin) -{ - //TEST DATA - const std::vector usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"}; - unsigned int privileges_count = 0; - - std::map>> users2AppsMap; - std::map> apps2PrivsMap; - - for (const auto &username : usernames) { - - for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { - apps2PrivsMap.insert(std::pair>( - MANY_APPS.at(i), std::set( - MANY_APPS_PRIVILEGES.at(i).begin(), - MANY_APPS_PRIVILEGES.at(i).end()))); - privileges_count+=MANY_APPS_PRIVILEGES.at(i).size(); - }; - - users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); - }; - - users2AppsMap.at(usernames.at(1)).insert(std::pair>( - PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); - - privileges_count += 2; - //TEST DATA END - SynchronizationPipe pipe; - - pid_t pid = fork(); - if (pid != 0) { - pipe.claimParentEp(); - std::vector users = { - TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), - TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) - }; - - users.at(0).create(); - users.at(1).create(); - - //Install apps for both users - for(const auto &user : users) { - - for(const auto &app : users2AppsMap.at(user.getUserName())) { - InstallRequest requestInst; - requestInst.setAppId(app.first.c_str()); - try { - requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).package.c_str()); - } catch (const std::out_of_range &e) { - RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); - }; - requestInst.setUid(user.getUid()); - - for (const auto &privilege : app.second) { - requestInst.addPrivilege(privilege.c_str()); - }; - - Api::install(requestInst); - }; - }; - - //Start child process - pipe.post(); - waitPid(pid); - - //switch back to root - for (auto &user : users) - user.remove(); - - } else { //child process - pipe.claimChildEp(); - pipe.wait(); - - uid_t uid; gid_t gid; - PasswdAccess::allUser(usernames.at(1), uid, gid); - register_current_process_as_privilege_manager(uid, true); - - //change uid to normal user - int result = drop_root_privileges(uid, gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - PolicyRequest *policyRequest = new PolicyRequest(); - PolicyEntry filter; - std::vector policyEntries; - //this call should succeed as the calling user is privileged - Api::getPolicyForSelf(filter, policyEntries); - - unsigned int policyNum = policyEntries.size(); - - PolicyEntry policyEntry( - SECURITY_MANAGER_ANY, - SECURITY_MANAGER_ANY, - "http://tizen.org/privilege/internet" - ); - policyEntry.setMaxLevel("Deny"); - - policyRequest->addEntry(policyEntry); - policyEntry = PolicyEntry( - SECURITY_MANAGER_ANY, - SECURITY_MANAGER_ANY, - "http://tizen.org/privilege/display" - ); - policyEntry.setMaxLevel("Deny"); - - policyRequest->addEntry(policyEntry); - Api::sendPolicy(*policyRequest); - Api::getPolicyForAdmin(filter, policyEntries); - - RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: " - << policyNum + 2 << " and is " << policyEntries.size()); - - delete policyRequest; - policyRequest = new PolicyRequest(); - policyEntry = PolicyEntry( - SECURITY_MANAGER_ANY, - SECURITY_MANAGER_ANY, - "http://tizen.org/privilege/internet" - ); - policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE); - policyRequest->addEntry(policyEntry); - - policyEntry = PolicyEntry( - SECURITY_MANAGER_ANY, - SECURITY_MANAGER_ANY, - "http://tizen.org/privilege/display" - ); - policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE); - - policyRequest->addEntry(policyEntry); - Api::sendPolicy(*policyRequest); - - policyEntries.clear(); - Api::getPolicyForAdmin(filter, policyEntries); - RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size()); - - delete policyRequest; - - exit(0); - }; - -} - -RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin) -{ - const char *const update_app_id = "security_manager_15_update_app_id"; - const char *const update_privilege = "http://tizen.org/privilege/led"; - const char *const check_start_bucket = "ADMIN"; - const std::string username("sm_test_15_username"); - PolicyRequest addPolicyRequest; - CynaraTestAdmin::Admin admin; - ScopedProcessLabel keepLabel; - - struct message { - uid_t uid; - gid_t gid; - } msg; - - int pipefd[2]; - pid_t pid; - int result = 0; - - RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); - - TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false); - user.create(); - - pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0)//parent process - { - FdUniquePtr pipeptr(pipefd+1); - close(pipefd[0]); - - register_current_process_as_privilege_manager(user.getUid(), true); - - //send info to child - msg.uid = user.getUid(); - msg.gid = user.getGid(); - - ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); - - waitPid(pid); - - admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), - std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); - } - if(pid == 0) - { - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - - ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); - - //become admin privacy manager manager - Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); - result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); - entry.setMaxLevel("Allow"); - - addPolicyRequest.addEntry(entry); - Api::sendPolicy(addPolicyRequest); - exit(0); - } -} - -RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard) -{ - const char *const update_other_app_id = "security_manager_15_update_other_app_id"; - const char *const update_privilege = "http://tizen.org/privilege/led"; - const char *const check_start_bucket = "ADMIN"; - const std::string username("sm_test_15_username"); - PolicyRequest addPolicyRequest; - CynaraTestAdmin::Admin admin; - ScopedProcessLabel keepLabel; - - struct message { - uid_t uid; - gid_t gid; - } msg; - - int pipefd[2]; - pid_t pid; - int result = 0; - - RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); - - TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false); - user.create(); - - pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0)//parent process - { - FdUniquePtr pipeptr(pipefd+1); - close(pipefd[0]); - - register_current_process_as_privilege_manager(user.getUid(), true); - - //send info to child - msg.uid = user.getUid(); - msg.gid = user.getGid(); - - ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); - - waitPid(pid); - - admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(), - std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); - } - if(pid == 0) - { - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - - ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); - - //become admin privacy manager manager - Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); - result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - // use wildcard as appId - PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast(msg.uid)), update_privilege); - entry.setMaxLevel("Allow"); - - addPolicyRequest.addEntry(entry); - Api::sendPolicy(addPolicyRequest); - exit(0); - } -} - -RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self) -{ - const char *const update_app_id = "security_manager_15_update_app_id"; - const char *const update_privilege = "http://tizen.org/privilege/led"; - const char *const check_start_bucket = ""; - const std::string username("sm_test_15_username"); - PolicyRequest addPolicyRequest; - CynaraTestAdmin::Admin admin; - ScopedProcessLabel keepLabel; - - struct message { - uid_t uid; - gid_t gid; - } msg; - - int pipefd[2]; - pid_t pid; - int result = 0; - - RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); - - TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); - user.create(); - - pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0)//parent process - { - FdUniquePtr pipeptr(pipefd+1); - close(pipefd[0]); - - register_current_process_as_privilege_manager(user.getUid(), false); - - //send info to child - msg.uid = user.getUid(); - msg.gid = user.getGid(); - - ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); - - waitPid(pid); - - admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), - std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); - } - if(pid == 0) - { - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - - ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); - - //become admin privacy manager manager - Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); - result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); - entry.setLevel("Allow"); - - addPolicyRequest.addEntry(entry); - Api::sendPolicy(addPolicyRequest); - exit(0); - } -} - -RUNNER_CHILD_TEST(security_manager_16_policy_levels_get) -{ - const std::string username("sm_test_16_user_cynara_policy"); - CynaraTestAdmin::Admin admin; - int pipefd[2]; - pid_t pid; - int result = 0; - - struct message { - uid_t uid; - gid_t gid; - } msg; - - RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); - - TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); - user.create(); - - pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0)//parent process - { - FdUniquePtr pipeptr(pipefd+1); - close(pipefd[0]); - - //send info to child - msg.uid = user.getUid(); - msg.gid = user.getGid(); - - ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); - - waitPid(pid); - } - if(pid == 0) - { - int ret; - char** levels; - std::string allow_policy, deny_policy; - size_t count; - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - - ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); - - //become admin privacy manager manager - result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - // 3 should be there when ask-user is installed - ret = security_manager_policy_levels_get(&levels, &count); - - RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS, - "Invlid return code: " << ret); - - RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast(count)); - - deny_policy = std::string(levels[0]); - allow_policy = std::string(levels[count-1]); - // first should always be Deny - RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0, - "Invalid first policy level. Should be Deny, instead there is: " << levels[0]); - // last should always be Allow - RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0, - "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]); - - security_manager_policy_levels_free(levels, count); - exit(0); - } -} - -RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self) -{ - const char *const update_app_id = "security_manager_17_update_app_id"; - const char *const update_privilege = "http://tizen.org/privilege/led"; - const char *const check_start_bucket = ""; - const std::string username("sm_test_17_username"); - PolicyRequest addPolicyRequest; - CynaraTestAdmin::Admin admin; - - struct message { - uid_t uid; - gid_t gid; - } msg; - - int pipefd[2]; - int pipefd2[2]; - pid_t pid[2]; - int result = 0; - ScopedProcessLabel keepLabel; - - RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); - RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed"); - - TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); - user.create(); - - pid[0] = fork(); - RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed"); - if (pid[0] != 0)//parent process - { - FdUniquePtr pipeptr(pipefd+1); - close(pipefd[0]); - - register_current_process_as_privilege_manager(user.getUid(), false); - - //send info to child - msg.uid = user.getUid(); - msg.gid = user.getGid(); - - ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); - - waitPid(pid[0]); - - admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), - std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); - - pid[1] = fork(); - if (pid[1] != 0)//parent process - { - FdUniquePtr pipeptr(pipefd2+1); - close(pipefd2[0]); - - //send info to child - msg.uid = user.getUid(); - msg.gid = user.getGid(); - - ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); - - waitPid(pid[1]); - - admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), - std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr); - } - if(pid[1] == 0) - { - FdUniquePtr pipeptr(pipefd2); - close(pipefd2[1]); - - ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); - - result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - // delete this entry - PolicyRequest deletePolicyRequest; - PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); - deleteEntry.setLevel(SECURITY_MANAGER_DELETE); - - deletePolicyRequest.addEntry(deleteEntry); - Api::sendPolicy(deletePolicyRequest); - exit(0); - } - } - if(pid[0] == 0) - { - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - - ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); - - //become admin privacy manager manager - Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); - result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); - entry.setLevel("Allow"); - - addPolicyRequest.addEntry(entry); - Api::sendPolicy(addPolicyRequest); - exit(0); - } -} - -RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered) -{ - const std::string username("sm_test_17_user_name"); - - struct message { - uid_t uid; - gid_t gid; - unsigned int privileges_count; - } msg; - - int pipefd[2]; - pid_t pid; - int result = 0; - ScopedProcessLabel keepLabel; - - RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); - - pid = fork(); - RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); - if (pid != 0)//parent process - { - FdUniquePtr pipeptr(pipefd+1); - close(pipefd[0]); - - TemporaryTestUser user(username, static_cast(GUM_USERTYPE_NORMAL), false); - user.create(); - - unsigned int privileges_count = 0; - - for(unsigned int i = 0; i < MANY_APPS.size(); ++i) { - InstallRequest requestInst; - requestInst.setAppId(MANY_APPS[i].c_str()); - requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).package.c_str()); - requestInst.setUid(user.getUid()); - - for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) { - requestInst.addPrivilege(priv.c_str()); - }; - - Api::install(requestInst); - privileges_count += MANY_APPS_PRIVILEGES.at(i).size(); - }; - - register_current_process_as_privilege_manager(user.getUid(), false); - //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable - ++privileges_count; - - //send info to child - msg.uid = user.getUid(); - msg.gid = user.getGid(); - msg.privileges_count = privileges_count; - - ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); - - waitPid(pid); - } - if(pid == 0) - { - FdUniquePtr pipeptr(pipefd); - close(pipefd[1]); - - ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); - RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); - - //become admin privacy manager manager - Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); - result = drop_root_privileges(msg.uid, msg.gid); - RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); - - // filter by privilege - std::vector policyEntries; - PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet"); - Api::getPolicy(filter, policyEntries); - - RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); - RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size()); - - // filter by other privilege - policyEntries.clear(); - PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email"); - Api::getPolicy(filter2, policyEntries); - - RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); - RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size()); - - // filter by appId - policyEntries.clear(); - PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY); - Api::getPolicy(filter3, policyEntries); - - RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); - RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size()); - } -} RUNNER_TEST(security_manager_18_user_cynara_policy) { @@ -1446,8 +281,8 @@ RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv) } msg; privileges_t admin_required_privs = { - PRIVILEGE_MANAGER_SELF_PRIVILEGE, - PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}; + "http://tizen.org/privilege/notexist", + "http://tizen.org/privilege/internal/usermanagement"}; privileges_t manifest_privs = { "http://tizen.org/privilege/internet", "http://tizen.org/privilege/datasharing"}; diff --git a/src/security-manager-tests/test_cases_privacy_manager.cpp b/src/security-manager-tests/test_cases_privacy_manager.cpp new file mode 100644 index 0000000..3f651d3 --- /dev/null +++ b/src/security-manager-tests/test_cases_privacy_manager.cpp @@ -0,0 +1,1211 @@ +/* + * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +using namespace SecurityManagerTest; + +static const std::vector PM_MANY_APPS = { + "security_manager_pm_app_1", + "security_manager_pm_app_2", + "security_manager_pm_app_3", + "security_manager_pm_app_4", + "security_manager_pm_app_5" +}; + +const std::string PRIVILEGE_MANAGER_APP = "privilege_manager"; +const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager"; +const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist"; +const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement"; + +static const std::map PM_MANY_APPS_PKGS = { + {"security_manager_pm_app_1", {"security_manager_pm_pkg_1", "2.1"}}, + {"security_manager_pm_app_2", {"security_manager_pm_pkg_2", "3.0"}}, + {"security_manager_pm_app_3", {"security_manager_pm_pkg_3", "2.1.1"}}, + {"security_manager_pm_app_4", {"security_manager_pm_pkg_4", "3.1"}}, + {"security_manager_pm_app_5", {"security_manager_pm_pkg_5", "2.2"}}, + {PRIVILEGE_MANAGER_APP, {PRIVILEGE_MANAGER_PKG, "3.0"}} +}; + +static const std::vector PM_MANY_APPS_PRIVILEGES = { + { + "http://tizen.org/privilege/internet", + "http://tizen.org/privilege/display" + }, + { + "http://tizen.org/privilege/telephony", + "http://tizen.org/privilege/datasharing" + }, + { + "http://tizen.org/privilege/content.write", + "http://tizen.org/privilege/led", + "http://tizen.org/privilege/email" + }, + { + "http://tizen.org/privilege/led", + "http://tizen.org/privilege/email", + "http://tizen.org/privilege/telephony", + "http://tizen.org/privilege/datasharing" + }, + { + "http://tizen.org/privilege/internet", + "http://tizen.org/privilege/display", + "http://tizen.org/privilege/led", + "http://tizen.org/privilege/email" + } +}; + +RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER) + +static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false) +{ + InstallRequest request; + request.setAppId(PRIVILEGE_MANAGER_APP.c_str()); + request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str()); + request.setUid(uid); + request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str()); + if (forAdmin) + request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str()); + Api::install(request); + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); +}; + +RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self) +{ + //TEST DATA + const std::string username("sm_test_10_user_name"); + unsigned int privileges_count = 0; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + PM_MANY_APPS.at(i), std::set( + PM_MANY_APPS_PRIVILEGES.at(i).begin(), + PM_MANY_APPS_PRIVILEGES.at(i).end()))); + privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size(); + }; + + apps2PrivsMap.insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); + ++privileges_count; + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + //TEST DATA END + + SynchronizationPipe pipe; + pid_t pid = fork(); + + if (pid != 0) { //parent process + pipe.claimParentEp(); + TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false); + tmpUser.create(); + + for(const auto &user : users2AppsMap) { + for(const auto &app : user.second) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(tmpUser.getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + + //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str()); + }; + + //Start child process + pipe.post(); + waitPid(pid); + + tmpUser.remove(); + } else { //child process + pipe.claimChildEp(); + pipe.wait(); + + uid_t uid; gid_t gid; + PasswdAccess::allUser(username, uid, gid); + std::string uidStr = std::to_string(uid); + register_current_process_as_privilege_manager(uid); + int result = drop_root_privileges(uid, gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + std::vector policyEntries; + PolicyEntry filter; + Api::getPolicy(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); + + for (const auto &policyEntry : policyEntries) { + std::string user = policyEntry.getUser(); + std::string app = policyEntry.getAppId(); + std::string privilege = policyEntry.getPrivilege(); + + RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user); + + try { + std::set::iterator tmp = users2AppsMap.at(username).at(app).find(privilege); + if (tmp == users2AppsMap.at(username).at(app).end()) + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what()); + }; + }; + exit(0); + }; +} + +RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged) +{ + //TEST DATA + const std::vector usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"}; + unsigned int privileges_count = 0; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (const auto &username : usernames) { + //Only entries for one of the users will be listed + privileges_count = 0; + + for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + PM_MANY_APPS.at(i), std::set( + PM_MANY_APPS_PRIVILEGES.at(i).begin(), + PM_MANY_APPS_PRIVILEGES.at(i).end()))); + privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size(); + }; + + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + }; + + users2AppsMap.at(usernames.at(0)).insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); + + ++privileges_count; + //TEST DATA END + + SynchronizationPipe pipe; + pid_t pid = fork(); + + if (pid != 0) { //parent process + pipe.claimParentEp(); + std::vector users = { + TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), + TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) + }; + + users.at(0).create(); + users.at(1).create(); + + //Install apps for both users + for(const auto &user : users) { + for(const auto &app : users2AppsMap.at(user.getUserName())) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(user.getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + + //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str()); + }; + + //Start child + pipe.post(); + waitPid(pid); + + for (auto &user : users) + user.remove(); + + } else { //child process + pipe.claimChildEp(); + pipe.wait(); + + uid_t uid; gid_t gid; + PasswdAccess::allUser(usernames.at(0), uid, gid); + std::string uidStr = std::to_string(uid); + register_current_process_as_privilege_manager(uid); + + //change uid to normal user + errno = 0; + int result = drop_root_privileges(uid, gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + std::vector policyEntries; + PolicyEntry filter; + + //this call should only return privileges belonging to the current uid + Api::getPolicy(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); + + for (const auto &policyEntry : policyEntries) { + std::string user = policyEntry.getUser(); + std::string app = policyEntry.getAppId(); + std::string privilege = policyEntry.getPrivilege(); + + RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user); + + try { + std::set::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege); + if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end()) + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what()); + }; + }; + exit(0); + }; +} + +RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged) +{ + std::vector oldPolicyVec; + Api::getPolicy(PolicyEntry(), oldPolicyVec); + std::unordered_set oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end()); + + //TEST DATA + const std::vector usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"}; + unsigned int privileges_count = oldPolicyVec.size(); + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (const auto &username : usernames) { + for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + PM_MANY_APPS.at(i), std::set( + PM_MANY_APPS_PRIVILEGES.at(i).begin(), + PM_MANY_APPS_PRIVILEGES.at(i).end()))); + privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size(); + }; + + users2AppsMap.insert(std::make_pair(username, apps2PrivsMap)); + }; + + users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP, + std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE})); + + privileges_count += 2; + //TEST DATA END + + SynchronizationPipe pipe; + pid_t pid = fork(); + + if (pid != 0) { //parent process + pipe.claimParentEp(); + std::vector users = { + TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), + TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) + }; + + users.at(0).create(); + users.at(1).create(); + //Install apps for both users + for(const auto &user : users) { + for(const auto &app : users2AppsMap.at(user.getUserName())) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(user.getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + + //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str()); + }; + + //Start child process + pipe.post(); + waitPid(pid); + + for (auto &user : users) + user.remove(); + + } else { //child process + pipe.claimChildEp(); + pipe.wait(); + + uid_t adminUid; + gid_t adminGid; + PasswdAccess::allUser(usernames.at(1), adminUid, adminGid); + std::string adminUidStr = std::to_string(adminUid); + uid_t normalUid = PasswdAccess::uid(usernames.at(0)); + std::string normalUidStr = std::to_string(normalUid); + register_current_process_as_privilege_manager(adminUid, true); + + //change uid to normal user + int result = drop_root_privileges(adminUid, adminGid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + + std::vector policyEntries; + //this call should succeed as the calling user is privileged + Api::getPolicy(PolicyEntry(), policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size()); + + for (const auto &policyEntry : policyEntries) { + if (oldPolicySet.count(policyEntry)) + continue; + + std::string user = policyEntry.getUser(); + std::string app = policyEntry.getAppId(); + std::string privilege = policyEntry.getPrivilege(); + + RUNNER_ASSERT_MSG(user == normalUidStr || user == adminUidStr, "Unexpected user: " << user); + + std::string uidStrToLook = user == normalUidStr ? usernames.at(0) : usernames.at(1); + + try { + std::set::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege); + if (tmp == users2AppsMap.at(uidStrToLook).at(app).end()) + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what()); + } catch (const std::invalid_argument& e) { + RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what()); + }; + }; + + exit(0); + }; +} + +RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged) +{ + //TEST DATA + const std::vector usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"}; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (const auto &username : usernames) { + + for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + PM_MANY_APPS.at(i), std::set( + PM_MANY_APPS_PRIVILEGES.at(i).begin(), + PM_MANY_APPS_PRIVILEGES.at(i).end()))); + }; + + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + }; + + users2AppsMap.at(usernames.at(1)).insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); + + //TEST DATA END + + pid_t pid[2]; + SynchronizationPipe sync[2]; + std::vector policyEntries; + + pid[0] = fork(); + + if (pid[0] == 0) { //child #1 process + sync[0].claimChildEp(); + sync[0].wait(); + + uid_t uid; gid_t gid; + PasswdAccess::allUser(usernames.at(0), uid, gid); + register_current_process_as_privilege_manager(uid); + + //change uid to normal user + int result = drop_root_privileges(uid, gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry filter; + PolicyRequest policyRequest; + + PolicyEntry policyEntry( + PM_MANY_APPS[0], + std::to_string(uid), + "http://tizen.org/privilege/internet" + ); + policyEntry.setLevel("Deny"); + + policyRequest.addEntry(policyEntry); + policyEntry = PolicyEntry( + PM_MANY_APPS[1], + std::to_string(uid), + "http://tizen.org/privilege/display" + ); + policyEntry.setLevel("Deny"); + + policyRequest.addEntry(policyEntry); + Api::sendPolicy(policyRequest); + + exit(0); + } else { //parent process + sync[0].claimParentEp(); + pid[1] = fork(); + + if (pid[1] == 0) { //child #2 process + sync[1].claimChildEp(); + sync[1].wait(); + + uid_t target_uid = PasswdAccess::uid(usernames.at(0)); + uid_t my_uid; + gid_t my_gid; + PasswdAccess::allUser(usernames.at(1), my_uid, my_gid); + + register_current_process_as_privilege_manager(my_uid); + + //change uid to normal user + int result = drop_root_privileges(my_uid, my_gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry filter = PolicyEntry( + SECURITY_MANAGER_ANY, + std::to_string(target_uid), + SECURITY_MANAGER_ANY + ); + + //U2 requests contents of U1 privacy manager - should fail + Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size()); + + filter = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY + ); + + policyEntries.clear(); + + //U2 requests contents of ADMIN bucket - should fail + Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED); + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size()); + exit(0); + } else { //parent + sync[1].claimParentEp(); + std::vector users = { + TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), + TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false) + }; + + users.at(0).create(); + users.at(1).create(); + + //Install apps for both users + for(const auto &user : users2AppsMap) { + + for(const auto &app : user.second) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(users.at(0).getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + + //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str()); + }; + + //Start child #1 + sync[0].post(); + waitPid(pid[0]); + + //Start child #2 + sync[1].post(); + waitPid(pid[1]); + + for (auto &user : users) + user.remove(); + }; + }; +} + +RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin) +{ + //TEST DATA + const std::vector usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"}; + unsigned int privileges_count = 0; + + std::map>> users2AppsMap; + std::map> apps2PrivsMap; + + for (const auto &username : usernames) { + + for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) { + apps2PrivsMap.insert(std::pair>( + PM_MANY_APPS.at(i), std::set( + PM_MANY_APPS_PRIVILEGES.at(i).begin(), + PM_MANY_APPS_PRIVILEGES.at(i).end()))); + privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size(); + }; + + users2AppsMap.insert(std::pair>>(username, apps2PrivsMap)); + }; + + users2AppsMap.at(usernames.at(1)).insert(std::pair>( + PRIVILEGE_MANAGER_APP, std::set{PRIVILEGE_MANAGER_SELF_PRIVILEGE})); + + privileges_count += 2; + //TEST DATA END + SynchronizationPipe pipe; + + pid_t pid = fork(); + if (pid != 0) { + pipe.claimParentEp(); + std::vector users = { + TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false), + TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false) + }; + + users.at(0).create(); + users.at(1).create(); + + //Install apps for both users + for(const auto &user : users) { + + for(const auto &app : users2AppsMap.at(user.getUserName())) { + InstallRequest requestInst; + requestInst.setAppId(app.first.c_str()); + try { + requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str()); + } catch (const std::out_of_range &e) { + RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first); + }; + requestInst.setUid(user.getUid()); + + for (const auto &privilege : app.second) { + requestInst.addPrivilege(privilege.c_str()); + }; + + Api::install(requestInst); + }; + }; + + //Start child process + pipe.post(); + waitPid(pid); + + //switch back to root + for (auto &user : users) + user.remove(); + + } else { //child process + pipe.claimChildEp(); + pipe.wait(); + + uid_t uid; gid_t gid; + PasswdAccess::allUser(usernames.at(1), uid, gid); + register_current_process_as_privilege_manager(uid, true); + + //change uid to normal user + int result = drop_root_privileges(uid, gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyRequest *policyRequest = new PolicyRequest(); + PolicyEntry filter; + std::vector policyEntries; + //this call should succeed as the calling user is privileged + Api::getPolicyForSelf(filter, policyEntries); + + unsigned int policyNum = policyEntries.size(); + + PolicyEntry policyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + "http://tizen.org/privilege/internet" + ); + policyEntry.setMaxLevel("Deny"); + + policyRequest->addEntry(policyEntry); + policyEntry = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + "http://tizen.org/privilege/display" + ); + policyEntry.setMaxLevel("Deny"); + + policyRequest->addEntry(policyEntry); + Api::sendPolicy(*policyRequest); + Api::getPolicyForAdmin(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: " + << policyNum + 2 << " and is " << policyEntries.size()); + + delete policyRequest; + policyRequest = new PolicyRequest(); + policyEntry = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + "http://tizen.org/privilege/internet" + ); + policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE); + policyRequest->addEntry(policyEntry); + + policyEntry = PolicyEntry( + SECURITY_MANAGER_ANY, + SECURITY_MANAGER_ANY, + "http://tizen.org/privilege/display" + ); + policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE); + + policyRequest->addEntry(policyEntry); + Api::sendPolicy(*policyRequest); + + policyEntries.clear(); + Api::getPolicyForAdmin(filter, policyEntries); + RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size()); + + delete policyRequest; + + exit(0); + }; + +} + +RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin) +{ + const char *const update_app_id = "security_manager_15_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = "ADMIN"; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + ScopedProcessLabel keepLabel; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), true); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + waitPid(pid); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setMaxLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard) +{ + const char *const update_other_app_id = "security_manager_15_update_other_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = "ADMIN"; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + ScopedProcessLabel keepLabel; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), true); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + waitPid(pid); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // use wildcard as appId + PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setMaxLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self) +{ + const char *const update_app_id = "security_manager_15_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = ""; + const std::string username("sm_test_15_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + ScopedProcessLabel keepLabel; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), false); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + waitPid(pid); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_CHILD_TEST(security_manager_16_policy_levels_get) +{ + const std::string username("sm_test_16_user_cynara_policy"); + CynaraTestAdmin::Admin admin; + int pipefd[2]; + pid_t pid; + int result = 0; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + waitPid(pid); + } + if(pid == 0) + { + int ret; + char** levels; + std::string allow_policy, deny_policy; + size_t count; + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // 3 should be there when ask-user is installed + ret = security_manager_policy_levels_get(&levels, &count); + + RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS, + "Invlid return code: " << ret); + + RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast(count)); + + deny_policy = std::string(levels[0]); + allow_policy = std::string(levels[count-1]); + + // first should always be Deny + RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0, + "Invalid first policy level. Should be Deny, instead there is: " << levels[0]); + + // last should always be Allow + RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0, + "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]); + + security_manager_policy_levels_free(levels, count); + exit(0); + } +} + +RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self) +{ + const char *const update_app_id = "security_manager_17_update_app_id"; + const char *const update_privilege = "http://tizen.org/privilege/led"; + const char *const check_start_bucket = ""; + const std::string username("sm_test_17_username"); + PolicyRequest addPolicyRequest; + CynaraTestAdmin::Admin admin; + + struct message { + uid_t uid; + gid_t gid; + } msg; + + int pipefd[2]; + int pipefd2[2]; + pid_t pid[2]; + int result = 0; + ScopedProcessLabel keepLabel; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed"); + + TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false); + user.create(); + + pid[0] = fork(); + RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed"); + if (pid[0] != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + register_current_process_as_privilege_manager(user.getUid(), false); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + waitPid(pid[0]); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr); + + pid[1] = fork(); + if (pid[1] != 0)//parent process + { + FdUniquePtr pipeptr(pipefd2+1); + close(pipefd2[0]); + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + waitPid(pid[1]); + + admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(), + std::to_string(static_cast(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr); + } + if(pid[1] == 0) + { + FdUniquePtr pipeptr(pipefd2); + close(pipefd2[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // delete this entry + PolicyRequest deletePolicyRequest; + PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + deleteEntry.setLevel(SECURITY_MANAGER_DELETE); + + deletePolicyRequest.addEntry(deleteEntry); + Api::sendPolicy(deletePolicyRequest); + exit(0); + } + } + if(pid[0] == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + PolicyEntry entry(update_app_id, std::to_string(static_cast(msg.uid)), update_privilege); + entry.setLevel("Allow"); + + addPolicyRequest.addEntry(entry); + Api::sendPolicy(addPolicyRequest); + exit(0); + } +} + +RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered) +{ + const std::string username("sm_test_17_user_name"); + + struct message { + uid_t uid; + gid_t gid; + unsigned int privileges_count; + } msg; + + int pipefd[2]; + pid_t pid; + int result = 0; + ScopedProcessLabel keepLabel; + + RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed"); + + pid = fork(); + RUNNER_ASSERT_MSG(pid >= 0, "fork failed"); + if (pid != 0)//parent process + { + FdUniquePtr pipeptr(pipefd+1); + close(pipefd[0]); + + TemporaryTestUser user(username, static_cast(GUM_USERTYPE_NORMAL), false); + user.create(); + + unsigned int privileges_count = 0; + + for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) { + InstallRequest requestInst; + requestInst.setAppId(PM_MANY_APPS[i].c_str()); + requestInst.setPkgId(PM_MANY_APPS_PKGS.at(PM_MANY_APPS[i]).package.c_str()); + requestInst.setUid(user.getUid()); + + for (auto &priv : PM_MANY_APPS_PRIVILEGES.at(i)) { + requestInst.addPrivilege(priv.c_str()); + }; + + Api::install(requestInst); + privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size(); + }; + + register_current_process_as_privilege_manager(user.getUid(), false); + //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable + ++privileges_count; + + //send info to child + msg.uid = user.getUid(); + msg.gid = user.getGid(); + msg.privileges_count = privileges_count; + + ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed"); + + waitPid(pid); + } + if(pid == 0) + { + FdUniquePtr pipeptr(pipefd); + close(pipefd[1]); + + ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message))); + RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed"); + + //become admin privacy manager manager + Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str()); + result = drop_root_privileges(msg.uid, msg.gid); + RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed"); + + // filter by privilege + std::vector policyEntries; + PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet"); + Api::getPolicy(filter, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size()); + + // filter by other privilege + policyEntries.clear(); + PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email"); + Api::getPolicy(filter2, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size()); + + // filter by appId + policyEntries.clear(); + PolicyEntry filter3(PM_MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY); + Api::getPolicy(filter3, policyEntries); + + RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty"); + RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size()); + } +}