1 #include <dpl/log/log.h>
2 #include <dpl/test/test_runner.h>
7 #include <unordered_set>
8 #include <sys/capability.h>
12 #include <sys/types.h>
14 #include <sys/socket.h>
16 #include <attr/xattr.h>
17 #include <linux/xattr.h>
20 #include <sys/types.h>
26 #include <libprivilege-control_test_common.h>
27 #include <tests_common.h>
29 #include <tzplatform_config.h>
30 #include <security-manager.h>
33 #include <sm_request.h>
34 #include <sm_user_request.h>
35 #include <temp_test_user.h>
36 #include <cynara_test_client.h>
37 #include <cynara_test_admin.h>
38 #include <service_manager.h>
39 #include <cynara_test_admin.h>
41 using namespace SecurityManagerTest;
43 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
44 DEFINE_SMARTPTR(tzplatform_context_destroy, tzplatform_context, TzPlatformContextPtr);
46 static const privileges_t SM_ALLOWED_PRIVILEGES = {
47 "http://tizen.org/privilege/location",
48 "http://tizen.org/privilege/camera"
51 static const privileges_t SM_DENIED_PRIVILEGES = {
52 "http://tizen.org/privilege/bluetooth",
53 "http://tizen.org/privilege/power"
56 static const privileges_t SM_NO_PRIVILEGES = {
59 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
61 static const char *const SM_RW_PATH = "/usr/apps/app_dir";
62 static const char *const SM_RO_PATH = "/usr/apps/app_dir_public_ro";
63 static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir";
65 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
66 static const std::string EXEC_FILE("exec");
67 static const std::string NORMAL_FILE("normal");
68 static const std::string LINK_PREFIX("link_to_");
70 static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
71 static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
72 static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings";
73 static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin";
75 static const std::vector<std::string> MANY_APPS = {
76 "security_manager_10_app_1",
77 "security_manager_10_app_2",
78 "security_manager_10_app_3",
79 "security_manager_10_app_4",
80 "security_manager_10_app_5"
83 static const std::map<std::string, std::string> MANY_APPS_PKGS = {
84 {"security_manager_10_app_1", "security_manager_10_pkg_1"},
85 {"security_manager_10_app_2", "security_manager_10_pkg_2"},
86 {"security_manager_10_app_3", "security_manager_10_pkg_3"},
87 {"security_manager_10_app_4", "security_manager_10_pkg_4"},
88 {"security_manager_10_app_5", "security_manager_10_pkg_5"},
89 {PRIVILEGE_MANAGER_APP, PRIVILEGE_MANAGER_PKG}
92 static const std::vector<privileges_t> MANY_APPS_PRIVILEGES = {
94 "http://tizen.org/privilege/internet",
95 "http://tizen.org/privilege/location"
98 "http://tizen.org/privilege/telephony",
99 "http://tizen.org/privilege/camera"
102 "http://tizen.org/privilege/contact.read",
103 "http://tizen.org/privilege/led",
104 "http://tizen.org/privilege/email"
107 "http://tizen.org/privilege/led",
108 "http://tizen.org/privilege/email",
109 "http://tizen.org/privilege/telephony",
110 "http://tizen.org/privilege/camera"
113 "http://tizen.org/privilege/internet",
114 "http://tizen.org/privilege/location",
115 "http://tizen.org/privilege/led",
116 "http://tizen.org/privilege/email"
120 static std::string generateAppLabel(const std::string &appId)
122 return "User::App::" + appId;
125 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
126 const char* correctLabel, bool transmute_test, bool exec_test)
130 char* label = nullptr;
133 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
134 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
135 labelPtr.reset(label);
136 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
137 result = strcmp(correctLabel, label);
138 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
139 " (should be '" << correctLabel << "' and is '" << label << "')");
143 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
144 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
145 labelPtr.reset(label);
147 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
148 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
149 result = strcmp(correctLabel, label);
150 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
152 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
156 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
157 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
158 labelPtr.reset(label);
160 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
161 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
162 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
163 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
165 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
171 // nftw doesn't allow passing user data to functions. Work around by using global variable
172 static std::string nftw_expected_label;
173 bool nftw_expected_transmute;
174 bool nftw_expected_exec;
176 static int nftw_check_sm_labels(const char *fpath, const struct stat *sb,
177 int /*typeflag*/, struct FTW* /*ftwbuf*/)
179 return nftw_check_sm_labels_app_dir(fpath, sb,
180 nftw_expected_label.c_str(), nftw_expected_transmute, nftw_expected_exec);
183 static void prepare_app_path()
187 result = nftw(SM_RW_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
188 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RW_PATH);
190 result = nftw(SM_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
191 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_RO_PATH);
193 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
194 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
197 static void prepare_app_env()
202 static void check_app_path_after_install(const char *appId)
206 nftw_expected_label = generateAppLabel(appId);
207 nftw_expected_transmute = false;
208 nftw_expected_exec = true;
210 result = nftw(SM_RW_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
211 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RW_PATH);
213 nftw_expected_label = "User::Home";
214 nftw_expected_transmute = true;
215 nftw_expected_exec = false;
217 result = nftw(SM_RO_PATH, &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
218 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_RO_PATH);
220 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
221 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
225 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
226 const privileges_t &allowed_privs, const privileges_t &denied_privs)
229 std::string smackLabel = generateAppLabel(app_id);
231 CynaraTestClient::Client ctc;
233 for (auto &priv : allowed_privs) {
234 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
237 for (auto &priv : denied_privs) {
238 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
242 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
245 gid_t main_gid = getgid();
246 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
248 // Reset supplementary groups
249 ret = setgroups(0, NULL);
250 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
252 Api::setProcessGroups(app_id);
254 ret = getgroups(0, nullptr);
255 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
257 std::vector<gid_t> actual_gids(ret);
258 ret = getgroups(ret, actual_gids.data());
259 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
261 for (const auto &gid : actual_gids) {
262 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
263 "Application shouldn't get access to group " << gid);
264 reference_gids.erase(gid);
267 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
270 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
271 const privileges_t &allowed_privs,
272 const privileges_t &denied_privs,
273 const std::vector<std::string> &allowed_groups)
275 TestSecurityManagerDatabase dbtest;
276 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
277 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
279 /*Privileges should be granted to all users if root installs app*/
280 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
282 /* Setup mapping of gids to privileges */
283 /* Do this for each privilege for extra check */
284 for (const auto &privilege : allowed_privs) {
285 dbtest.setup_privilege_groups(privilege, allowed_groups);
288 std::vector<gid_t> allowed_gids;
290 for (const auto &groupName : allowed_groups) {
292 struct group* grp = getgrnam(groupName.c_str());
293 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
294 allowed_gids.push_back(grp->gr_gid);
297 check_app_gids(app_id, allowed_gids);
300 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
302 TestSecurityManagerDatabase dbtest;
303 dbtest.test_db_after__app_install(app_id, pkg_id);
306 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
307 const privileges_t &privileges, const bool is_pkg_removed)
309 TestSecurityManagerDatabase dbtest;
310 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
313 /*Privileges should not be granted anymore to any user*/
314 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
317 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
318 const bool is_pkg_removed)
320 TestSecurityManagerDatabase dbtest;
321 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
324 static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0)
326 InstallRequest request;
327 request.setAppId(app_id);
328 request.setPkgId(pkg_id);
330 Api::install(request);
332 check_app_after_install(app_id, pkg_id);
336 static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
338 InstallRequest request;
339 request.setAppId(app_id);
341 Api::uninstall(request);
343 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
346 static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
348 InstallRequest request;
349 request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
350 request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
352 request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
354 request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
355 Api::install(request);
356 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
359 static inline struct passwd *getUserStruct(const std::string &userName) {
360 struct passwd *pw = nullptr;
363 while(!(pw = getpwnam(userName.c_str()))) {
364 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
370 static inline struct passwd *getUserStruct(const uid_t uid) {
371 struct passwd *pw = nullptr;
374 while(!(pw = getpwuid(uid))) {
375 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
381 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
384 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
386 const char *const sm_app_id = "sm_test_01a_app_id_double";
387 const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
389 InstallRequest requestInst;
390 requestInst.setAppId(sm_app_id);
391 requestInst.setPkgId(sm_pkg_id);
393 Api::install(requestInst);
394 Api::install(requestInst);
396 /* Check records in the security-manager database */
397 check_app_after_install(sm_app_id, sm_pkg_id);
399 InstallRequest requestUninst;
400 requestUninst.setAppId(sm_app_id);
402 Api::uninstall(requestUninst);
403 Api::uninstall(requestUninst);
405 /* Check records in the security-manager database */
406 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
410 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
412 const char *const sm_app_id = "sm_test_01b_app";
413 const char *const sm_pkg_id = "sm_test_01b_pkg";
414 const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
416 InstallRequest requestInst;
417 requestInst.setAppId(sm_app_id);
418 requestInst.setPkgId(sm_pkg_id);
420 Api::install(requestInst);
422 InstallRequest requestInst2;
423 requestInst2.setAppId(sm_app_id);
424 requestInst2.setPkgId(sm_pkg_id_wrong);
426 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
429 /* Check records in the security-manager database */
430 check_app_after_install(sm_app_id, sm_pkg_id);
432 InstallRequest requestUninst;
433 requestUninst.setAppId(sm_app_id);
435 Api::uninstall(requestUninst);
438 /* Check records in the security-manager database */
439 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
443 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
445 const char * const sm_app_id = "SM_TEST_01c_APPID";
446 const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
447 const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
449 InstallRequest requestInst;
450 requestInst.setAppId(sm_app_id);
451 requestInst.setPkgId(sm_pkg_id);
453 Api::install(requestInst);
455 /* Check records in the security-manager database */
456 check_app_after_install(sm_app_id, sm_pkg_id);
458 InstallRequest requestUninst;
459 requestUninst.setAppId(sm_app_id);
460 requestUninst.setPkgId(sm_pkg_id_wrong);
462 Api::uninstall(requestUninst);
464 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
468 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
470 const char *const sm_app_id = "sm_test_02_app_id_full";
471 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
475 InstallRequest requestInst;
476 requestInst.setAppId(sm_app_id);
477 requestInst.setPkgId(sm_pkg_id);
478 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
479 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
480 requestInst.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
481 requestInst.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
483 Api::install(requestInst);
485 /* Check records in the security-manager database */
486 check_app_after_install(sm_app_id, sm_pkg_id,
487 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
489 /* TODO: add parameters to this function */
490 check_app_path_after_install(sm_app_id);
492 InstallRequest requestUninst;
493 requestUninst.setAppId(sm_app_id);
495 Api::uninstall(requestUninst);
497 /* Check records in the security-manager database,
498 * all previously allowed privileges should be removed */
499 check_app_after_uninstall(sm_app_id, sm_pkg_id,
500 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
503 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
505 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
506 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
507 const char *const socketLabel = "not_expected_label";
508 std::string expected_label = generateAppLabel(app_id);
509 char *label = nullptr;
513 uninstall_app(app_id, pkg_id, true);
514 install_app(app_id, pkg_id);
516 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
517 //Clean up before creating socket
519 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
520 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
521 SockUniquePtr sockPtr(&sock);
522 //Bind socket to address
523 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
524 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
525 //Set socket label to something different than expecedLabel
526 result = smack_set_label_for_file(sock, XATTR_NAME_SMACKIPIN, socketLabel);
527 RUNNER_ASSERT_ERRNO_MSG(result == 0,
528 "Can't set socket label. Result: " << result);
529 result = smack_set_label_for_file(sock, XATTR_NAME_SMACKIPOUT, socketLabel);
530 RUNNER_ASSERT_ERRNO_MSG(result == 0,
531 "Can't set socket label. Result: " << result);
533 Api::setProcessLabel(app_id);
535 result = smack_new_label_from_file(sock, XATTR_NAME_SMACKIPIN, &label);
536 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
537 labelPtr.reset(label);
538 result = expected_label.compare(label);
539 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
540 expected_label << " Actual: " << label);
542 result = smack_new_label_from_file(sock, XATTR_NAME_SMACKIPOUT, &label);
543 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
544 labelPtr.reset(label);
545 result = expected_label.compare(label);
546 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
547 expected_label << " Actual: " << label);
549 result = smack_new_label_from_self(&label);
550 RUNNER_ASSERT_MSG(result >= 0,
551 " Error getting current process label");
552 RUNNER_ASSERT_MSG(label != nullptr,
553 " Process label is not set");
554 labelPtr.reset(label);
556 result = expected_label.compare(label);
557 RUNNER_ASSERT_MSG(result == 0,
558 " Process label is incorrect. Expected: \"" << expected_label <<
559 "\" Actual: \"" << label << "\"");
561 uninstall_app(app_id, pkg_id, true);
564 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
566 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
567 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
569 uninstall_app(app_id, pkg_id, true);
570 install_app(app_id, pkg_id);
572 Api::setProcessLabel(app_id);
574 uninstall_app(app_id, pkg_id, true);
577 static void prepare_request(InstallRequest &request,
578 const char *const app_id,
579 const char *const pkg_id,
580 app_install_path_type pathType,
581 const char *const path,
584 request.setAppId(app_id);
585 request.setPkgId(pkg_id);
586 request.addPath(path, pathType);
592 static uid_t getGlobalUserId(void)
594 return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
597 static const std::string appDirPath(const TemporaryTestUser &user,
598 const std::string &appId, const std::string &pkgId)
600 struct tzplatform_context *tzCtxPtr = nullptr;
602 RUNNER_ASSERT(0 == tzplatform_context_create(&tzCtxPtr));
603 TzPlatformContextPtr tzCtxPtrSmart(tzCtxPtr);
605 RUNNER_ASSERT_MSG(0 == tzplatform_context_set_user(tzCtxPtr, user.getUid()),
606 "Unable to set user <" << user.getUserName() << "> for tzplatform context");
608 const char *appDir = tzplatform_context_getenv(tzCtxPtr,
609 getGlobalUserId() == user.getUid() ? TZ_SYS_RW_APP : TZ_USER_APP);
610 RUNNER_ASSERT_MSG(nullptr != appDir,
611 "tzplatform_context_getenv failed"
612 << "for getting sys rw app of user <" << user.getUserName() << ">");
614 return std::string(appDir) + "/" + pkgId + "/" + appId;
617 static const std::string nonAppDirPath(const TemporaryTestUser &user)
619 return TMP_DIR + "/" + user.getUserName();
622 static const std::string uidToStr(const uid_t uid)
624 return std::to_string(static_cast<unsigned int>(uid));
627 static void install_and_check(const char *const sm_app_id,
628 const char *const sm_pkg_id,
629 const TemporaryTestUser& user,
630 const std::string &appDir,
633 InstallRequest requestPublic;
635 //install app for non-root user and try to register public path (should fail)
636 prepare_request(requestPublic, sm_app_id, sm_pkg_id,
637 SECURITY_MANAGER_PATH_PUBLIC, appDir.c_str(),
638 requestUid ? user.getUid() : 0);
640 Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
642 InstallRequest requestPrivate;
644 //install app for non-root user
645 //should fail (users may only register folders inside their home)
646 prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
647 SECURITY_MANAGER_PATH_RW, SM_RW_PATH,
648 requestUid ? user.getUid() : 0);
650 Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
652 InstallRequest requestPrivateUser;
654 //install app for non-root user
655 //should succeed - this time i register folder inside user's home dir
656 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
657 SECURITY_MANAGER_PATH_RW, appDir.c_str(),
658 requestUid ? user.getUid() : 0);
660 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
661 requestPrivateUser.addPrivilege(privilege.c_str());
663 Api::install(requestPrivateUser);
665 check_app_permissions(sm_app_id, sm_pkg_id,
666 uidToStr(user.getUid()).c_str(),
667 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
670 static void createTestDir(const std::string &dir)
672 mode_t dirMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
673 mode_t execFileMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
674 mode_t normalFileMode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
676 mktreeSafe(dir, dirMode);
677 creatSafe(dir + "/" + EXEC_FILE, execFileMode);
678 creatSafe(dir + "/" + NORMAL_FILE, normalFileMode);
679 symlinkSafe(dir + "/" + EXEC_FILE, dir + "/" + LINK_PREFIX + EXEC_FILE);
680 symlinkSafe(dir + "/" + NORMAL_FILE, dir + "/" + LINK_PREFIX + NORMAL_FILE);
683 static void createInnerAppDir(const std::string &dir, const std::string &nonAppDir)
687 symlinkSafe(nonAppDir, dir + "/" + LINK_PREFIX + "non_app_dir");
688 symlinkSafe(nonAppDir + "/" + EXEC_FILE,
689 dir + "/" + LINK_PREFIX + "non_app_" + EXEC_FILE);
690 symlinkSafe(nonAppDir + "/" + NORMAL_FILE,
691 dir + "/" + LINK_PREFIX + "non_app_" + NORMAL_FILE);
694 static void generateAppDir(const TemporaryTestUser &user,
695 const std::string &appId, const std::string &pkgId)
697 const std::string dir = appDirPath(user, appId, pkgId);
698 const std::string nonAppDir = nonAppDirPath(user);
700 createInnerAppDir(dir, nonAppDir);
701 createInnerAppDir(dir + "/.inner_dir", nonAppDir);
702 createInnerAppDir(dir + "/inner_dir", nonAppDir);
705 static void generateNonAppDir(const TemporaryTestUser &user)
707 const std::string dir = nonAppDirPath(user);
710 createTestDir(dir + "/.inner_dir");
711 createTestDir(dir + "/inner_dir");
714 static void createTestDirs(const TemporaryTestUser &user,
715 const std::string &appId, const std::string &pkgId)
717 generateAppDir(user, appId, pkgId);
718 generateNonAppDir(user);
721 static void removeTestDirs(const TemporaryTestUser &user,
722 const std::string &appId, const std::string &pkgId)
724 removeDir(appDirPath(user, appId, pkgId));
725 removeDir(nonAppDirPath(user));
728 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
731 const char *const sm_app_id = "sm_test_04a_app_id_uid";
732 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
733 const std::string new_user_name = "sm_test_04a_user_name";
735 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
738 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
739 createTestDirs(testUser, sm_app_id, sm_pkg_id);
741 const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
743 //switch user to non-root
744 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
745 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
747 install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
749 //uninstall app as non-root user
750 InstallRequest request;
751 request.setAppId(sm_app_id);
753 Api::uninstall(request);
755 check_app_permissions(sm_app_id, sm_pkg_id,
756 uidToStr(testUser.getUid()).c_str(),
757 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
760 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
763 const char *const sm_app_id = "sm_test_04b_app_id_uid";
764 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
765 const std::string new_user_name = "sm_test_04b_user_name";
767 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
770 removeTestDirs(testUser, sm_app_id, sm_pkg_id);
771 createTestDirs(testUser, sm_app_id, sm_pkg_id);
773 install_and_check(sm_app_id, sm_pkg_id, testUser, appDirPath(testUser, sm_app_id, sm_pkg_id), true);
775 //switch user to non-root - root may not uninstall apps for specified users
776 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
777 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
779 //uninstall app as non-root user
780 InstallRequest request;
781 request.setAppId(sm_app_id);
783 Api::uninstall(request);
785 check_app_permissions(sm_app_id, sm_pkg_id,
786 uidToStr(testUser.getUid()).c_str(),
787 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
791 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
794 CapsSetsUniquePtr caps, caps_empty(cap_init());
796 caps.reset(cap_from_text("all=eip"));
797 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
798 result = cap_set_proc(caps.get());
799 RUNNER_ASSERT_MSG(result == 0,
800 "can't set capabilities. Result: " << result);
802 Api::dropProcessPrivileges();
804 caps.reset(cap_get_proc());
805 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
807 result = cap_compare(caps.get(), caps_empty.get());
808 RUNNER_ASSERT_MSG(result == 0,
809 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
812 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
814 const char *const app_id = "sm_test_06_app_id_install_app_offline";
815 const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
817 // Uninstall app on-line, off-line mode doesn't support it
818 uninstall_app(app_id, pkg_id, true);
820 ServiceManager("security-manager.service").stopService();
822 ServiceManager serviceManager("security-manager.socket");
823 serviceManager.stopService();
825 install_app(app_id, pkg_id);
827 serviceManager.startService();
829 uninstall_app(app_id, pkg_id, true);
832 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
834 const char *const sm_app_id = "sm_test_07_app_id_user";
835 const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
836 const std::string new_user_name = "sm_test_07_user_name";
837 std::string uid_string;
838 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
840 test_user.getUidString(uid_string);
842 removeTestDirs(test_user, sm_app_id, sm_pkg_id);
843 createTestDirs(test_user, sm_app_id, sm_pkg_id);
845 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
847 check_app_after_install(sm_app_id, sm_pkg_id);
851 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
853 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
856 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
858 UserRequest addUserRequest;
860 const char *const sm_app_id = "sm_test_08_app_id_user";
861 const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
862 const std::string new_user_name = "sm_test_08_user_name";
863 std::string uid_string;
866 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
868 test_user.getUidString(uid_string);
870 removeTestDirs(test_user, sm_app_id, sm_pkg_id);
871 createTestDirs(test_user, sm_app_id, sm_pkg_id);
873 addUserRequest.setUid(test_user.getUid());
874 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
877 Api::addUser(addUserRequest);
879 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
881 check_app_after_install(sm_app_id, sm_pkg_id);
885 UserRequest deleteUserRequest;
886 deleteUserRequest.setUid(test_user.getUid());
888 Api::deleteUser(deleteUserRequest);
890 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
892 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
895 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
897 const char *const app_id = "security_manager_09_add_user_offline_app";
898 const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
899 const std::string new_user_name("sm_test_09_user_name");
901 ServiceManager("security-manager.service").stopService();
903 ServiceManager serviceManager("security-manager.socket");
904 serviceManager.stopService();
906 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, true);
909 removeTestDirs(test_user, app_id, pkg_id);
910 createTestDirs(test_user, app_id, pkg_id);
912 install_app(app_id, pkg_id, test_user.getUid());
914 check_app_after_install(app_id, pkg_id);
916 serviceManager.startService();
920 check_app_after_uninstall(app_id, pkg_id, true);
923 RUNNER_MULTIPROCESS_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
926 const std::string username("sm_test_10_user_name");
927 unsigned int privileges_count = 0;
929 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
930 std::map<std::string, std::set<std::string>> apps2PrivsMap;
932 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
933 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
934 MANY_APPS.at(i), std::set<std::string>(
935 MANY_APPS_PRIVILEGES.at(i).begin(),
936 MANY_APPS_PRIVILEGES.at(i).end())));
937 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
940 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
941 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
943 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
948 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
950 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
953 if (pid != 0) { //parent process
954 TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
957 for(const auto &user : users2AppsMap) {
959 for(const auto &app : user.second) {
960 InstallRequest requestInst;
961 requestInst.setAppId(app.first.c_str());
963 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
964 } catch (const std::out_of_range &e) {
965 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
967 requestInst.setUid(tmpUser.getUid());
969 for (const auto &privilege : app.second) {
970 requestInst.addPrivilege(privilege.c_str());
973 Api::install(requestInst);
976 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
978 //Start child process
980 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
988 if (pid == 0) { //child process
990 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
991 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
993 struct passwd *pw = getUserStruct(username);
994 register_current_process_as_privilege_manager(pw->pw_uid);
995 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
996 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
998 std::vector<PolicyEntry> policyEntries;
1000 Api::getPolicy(filter, policyEntries);
1002 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1003 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1005 for (const auto &policyEntry : policyEntries) {
1006 std::string user = policyEntry.getUser();
1007 std::string app = policyEntry.getAppId();
1008 std::string privilege = policyEntry.getPrivilege();
1011 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1012 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1013 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1014 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1015 } catch (const std::out_of_range &e) {
1016 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1017 } catch (const std::invalid_argument& e) {
1018 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1025 RUNNER_MULTIPROCESS_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
1028 const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
1029 unsigned int privileges_count = 0;
1031 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1032 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1034 for (const auto &username : usernames) {
1035 //Only entries for one of the users will be listed
1036 privileges_count = 0;
1038 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1039 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1040 MANY_APPS.at(i), std::set<std::string>(
1041 MANY_APPS_PRIVILEGES.at(i).begin(),
1042 MANY_APPS_PRIVILEGES.at(i).end())));
1043 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1046 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1049 users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
1050 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1057 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1059 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1062 if (pid != 0) { //parent process
1063 std::vector<TemporaryTestUser> users = {
1064 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1065 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1068 users.at(0).create();
1069 users.at(1).create();
1071 //Install apps for both users
1072 for(const auto &user : users) {
1073 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1074 InstallRequest requestInst;
1075 requestInst.setAppId(app.first.c_str());
1077 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1078 } catch (const std::out_of_range &e) {
1079 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1081 requestInst.setUid(user.getUid());
1083 for (const auto &privilege : app.second) {
1084 requestInst.addPrivilege(privilege.c_str());
1087 Api::install(requestInst);
1090 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1094 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1099 for(auto &user : users) {
1106 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
1107 struct passwd *pw = getUserStruct(usernames.at(0));
1108 register_current_process_as_privilege_manager(pw->pw_uid);
1110 //change uid to normal user
1112 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1113 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1115 std::vector<PolicyEntry> policyEntries;
1118 //this call should only return privileges belonging to the current uid
1119 Api::getPolicy(filter, policyEntries);
1121 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1122 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1124 for (const auto &policyEntry : policyEntries) {
1125 std::string user = policyEntry.getUser();
1126 std::string app = policyEntry.getAppId();
1127 std::string privilege = policyEntry.getPrivilege();
1130 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1131 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1132 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1133 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1134 } catch (const std::out_of_range &e) {
1135 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1136 } catch (const std::invalid_argument& e) {
1137 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1144 RUNNER_MULTIPROCESS_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
1147 const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
1148 unsigned int privileges_count = 0;
1150 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1151 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1153 for (const auto &username : usernames) {
1155 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1156 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1157 MANY_APPS.at(i), std::set<std::string>(
1158 MANY_APPS_PRIVILEGES.at(i).begin(),
1159 MANY_APPS_PRIVILEGES.at(i).end())));
1160 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1163 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1166 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1167 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
1169 privileges_count += 2;
1174 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1176 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1179 if (pid != 0) { //parent process
1180 std::vector<TemporaryTestUser> users = {
1181 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1182 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1185 users.at(0).create();
1186 users.at(1).create();
1187 //Install apps for both users
1188 for(const auto &user : users) {
1189 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1190 InstallRequest requestInst;
1191 requestInst.setAppId(app.first.c_str());
1193 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1194 } catch (const std::out_of_range &e) {
1195 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1197 requestInst.setUid(user.getUid());
1199 for (const auto &privilege : app.second) {
1200 requestInst.addPrivilege(privilege.c_str());
1203 Api::install(requestInst);
1206 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1211 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1213 //Wait for child to finish
1217 for(auto &user : users) {
1222 if (pid == 0) { //child process
1224 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
1226 struct passwd *pw = getUserStruct(usernames.at(1));
1227 register_current_process_as_privilege_manager(pw->pw_uid, true);
1229 //change uid to normal user
1230 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1231 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1233 std::vector<PolicyEntry> policyEntries;
1235 //this call should succeed as the calling user is privileged
1236 Api::getPolicy(filter, policyEntries);
1238 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1239 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1241 for (const auto &policyEntry : policyEntries) {
1242 std::string user = policyEntry.getUser();
1243 std::string app = policyEntry.getAppId();
1244 std::string privilege = policyEntry.getPrivilege();
1247 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1248 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1249 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1250 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1251 } catch (const std::out_of_range &e) {
1252 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1253 } catch (const std::invalid_argument& e) {
1254 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1262 RUNNER_MULTIPROCESS_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
1265 const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
1267 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1268 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1270 for (const auto &username : usernames) {
1272 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1273 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1274 MANY_APPS.at(i), std::set<std::string>(
1275 MANY_APPS_PRIVILEGES.at(i).begin(),
1276 MANY_APPS_PRIVILEGES.at(i).end())));
1279 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1282 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1283 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1290 RUNNER_ASSERT_MSG(((mutex[0] = sem_open("mutex_1", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #1, errno: " << errno);
1292 RUNNER_ASSERT_MSG(((mutex[1] = sem_open("mutex_2", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #2, errno: " << errno);
1294 RUNNER_ASSERT_MSG(sem_init(mutex[0], 1, 0) == 0, "failed to setup mutex #1, errno: " << errno);
1296 RUNNER_ASSERT_MSG(sem_init(mutex[1], 1, 0) == 0, "failed to setup mutex #2, errno: " << errno);
1297 std::vector<PolicyEntry> policyEntries;
1301 if(pid[0] == 0) { //child #1 process
1302 RUNNER_ASSERT_MSG(sem_wait(mutex[0]) == 0, "sem_wait in child #1 failed, errno: " << errno);
1303 struct passwd *pw = getUserStruct(usernames.at(0));
1304 register_current_process_as_privilege_manager(pw->pw_uid);
1306 //change uid to normal user
1307 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1308 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1311 PolicyRequest policyRequest;
1312 //this call should succeed as the calling user is privileged
1313 Api::getPolicyForSelf(filter, policyEntries);
1315 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1317 PolicyEntry policyEntry(
1319 std::to_string(pw->pw_uid),
1320 "http://tizen.org/privilege/internet"
1322 policyEntry.setLevel("Deny");
1324 policyRequest.addEntry(policyEntry);
1325 policyEntry = PolicyEntry(
1327 std::to_string(pw->pw_uid),
1328 "http://tizen.org/privilege/location"
1330 policyEntry.setLevel("Deny");
1332 policyRequest.addEntry(policyEntry);
1333 Api::sendPolicy(policyRequest);
1334 Api::getPolicyForSelf(filter, policyEntries);
1336 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1340 if (pid[0] != 0) {//parent process
1343 if (pid[1] == 0) { //child #2 process
1345 RUNNER_ASSERT_MSG(sem_wait(mutex[1]) == 0, "sem_wait in child #2 failed, errno: " << errno);
1346 struct passwd *pw_target = getUserStruct(usernames.at(0));
1347 struct passwd *pw = getUserStruct(usernames.at(1));
1348 register_current_process_as_privilege_manager(pw->pw_uid);
1350 //change uid to normal user
1351 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1352 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1354 PolicyEntry filter = PolicyEntry(
1355 SECURITY_MANAGER_ANY,
1356 std::to_string(pw_target->pw_uid),
1357 SECURITY_MANAGER_ANY
1360 //U2 requests contents of U1 privacy manager - should fail
1361 Api::getPolicyForSelf(filter, policyEntries);
1362 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1364 filter = PolicyEntry(
1365 SECURITY_MANAGER_ANY,
1366 SECURITY_MANAGER_ANY,
1367 SECURITY_MANAGER_ANY
1370 policyEntries.clear();
1372 //U2 requests contents of ADMIN bucket - should fail
1373 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
1374 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1378 if (pid[1] != 0) { //parent
1380 std::vector<TemporaryTestUser> users = {
1381 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1382 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1385 users.at(0).create();
1386 users.at(1).create();
1388 //Install apps for both users
1389 for(const auto &user : users2AppsMap) {
1391 for(const auto &app : user.second) {
1392 InstallRequest requestInst;
1393 requestInst.setAppId(app.first.c_str());
1395 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1396 } catch (const std::out_of_range &e) {
1397 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1399 requestInst.setUid(users.at(0).getUid());
1401 for (const auto &privilege : app.second) {
1402 requestInst.addPrivilege(privilege.c_str());
1405 Api::install(requestInst);
1408 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1414 RUNNER_ASSERT_MSG(sem_post(mutex[0]) == 0, "Error while opening mutex #1, errno: " << errno);
1416 //Wait until child #1 finishes
1417 pid_t ret = wait(&status);
1418 RUNNER_ASSERT_MSG((ret != -1) && WIFEXITED(status), "Updating privileges failed");
1422 RUNNER_ASSERT_MSG(sem_post(mutex[1]) == 0, "Error while opening mutex #2, errno: " << errno);
1423 //Wait until child #2 finishes
1424 ret = wait(&status);
1425 RUNNER_ASSERT_MSG((ret =-1) && WIFEXITED(status), "Listing privileges failed");
1427 for(auto &user : users) {
1431 sem_close(mutex[0]);
1432 sem_close(mutex[1]);
1437 RUNNER_MULTIPROCESS_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
1440 const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
1441 unsigned int privileges_count = 0;
1443 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1444 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1446 for (const auto &username : usernames) {
1448 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1449 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1450 MANY_APPS.at(i), std::set<std::string>(
1451 MANY_APPS_PRIVILEGES.at(i).begin(),
1452 MANY_APPS_PRIVILEGES.at(i).end())));
1453 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1456 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1459 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1460 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1462 privileges_count += 2;
1466 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1468 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1472 std::vector<TemporaryTestUser> users = {
1473 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1474 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1477 users.at(0).create();
1478 users.at(1).create();
1480 //Install apps for both users
1481 for(const auto &user : users) {
1483 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1484 InstallRequest requestInst;
1485 requestInst.setAppId(app.first.c_str());
1487 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1488 } catch (const std::out_of_range &e) {
1489 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1491 requestInst.setUid(user.getUid());
1493 for (const auto &privilege : app.second) {
1494 requestInst.addPrivilege(privilege.c_str());
1497 Api::install(requestInst);
1500 //Start child process
1502 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1504 //Wait for child process to finish
1507 //switch back to root
1508 for(auto &user : users) {
1515 if (pid == 0) { //child process
1517 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
1519 struct passwd *pw = getUserStruct(usernames.at(0));
1520 register_current_process_as_privilege_manager(pw->pw_uid, true);
1522 //change uid to normal user
1523 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1524 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1526 PolicyRequest *policyRequest = new PolicyRequest();
1528 std::vector<PolicyEntry> policyEntries;
1529 //this call should succeed as the calling user is privileged
1530 Api::getPolicyForSelf(filter, policyEntries);
1532 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1534 PolicyEntry policyEntry(
1535 SECURITY_MANAGER_ANY,
1536 SECURITY_MANAGER_ANY,
1537 "http://tizen.org/privilege/internet"
1539 policyEntry.setMaxLevel("Deny");
1541 policyRequest->addEntry(policyEntry);
1542 policyEntry = PolicyEntry(
1543 SECURITY_MANAGER_ANY,
1544 SECURITY_MANAGER_ANY,
1545 "http://tizen.org/privilege/location"
1547 policyEntry.setMaxLevel("Deny");
1549 policyRequest->addEntry(policyEntry);
1550 Api::sendPolicy(*policyRequest);
1551 Api::getPolicyForAdmin(filter, policyEntries);
1553 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1555 delete policyRequest;
1556 policyRequest = new PolicyRequest();
1557 policyEntry = PolicyEntry(
1558 SECURITY_MANAGER_ANY,
1559 SECURITY_MANAGER_ANY,
1560 "http://tizen.org/privilege/internet"
1562 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
1563 policyRequest->addEntry(policyEntry);
1565 policyEntry = PolicyEntry(
1566 SECURITY_MANAGER_ANY,
1567 SECURITY_MANAGER_ANY,
1568 "http://tizen.org/privilege/location"
1570 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
1572 policyRequest->addEntry(policyEntry);
1573 Api::sendPolicy(*policyRequest);
1575 policyEntries.clear();
1576 Api::getPolicyForAdmin(filter, policyEntries);
1577 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
1579 delete policyRequest;
1586 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
1588 const char *const update_app_id = "security_manager_15_update_app_id";
1589 const char *const update_privilege = "http://tizen.org/privilege/led";
1590 const char *const check_start_bucket = "ADMIN";
1591 const std::string username("sm_test_15_username");
1592 PolicyRequest addPolicyRequest;
1593 CynaraTestAdmin::Admin admin;
1604 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1606 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
1610 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1611 if (pid != 0)//parent process
1613 FdUniquePtr pipeptr(pipefd+1);
1616 register_current_process_as_privilege_manager(user.getUid(), true);
1618 //send info to child
1619 msg.uid = user.getUid();
1620 msg.gid = user.getGid();
1622 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1623 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1626 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1628 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
1629 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1633 FdUniquePtr pipeptr(pipefd);
1636 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1637 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1639 //become admin privacy manager manager
1640 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1641 result = drop_root_privileges(msg.uid, msg.gid);
1642 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1644 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1645 entry.setMaxLevel("Allow");
1647 addPolicyRequest.addEntry(entry);
1648 Api::sendPolicy(addPolicyRequest);
1653 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
1655 const char *const update_other_app_id = "security_manager_15_update_other_app_id";
1656 const char *const update_privilege = "http://tizen.org/privilege/led";
1657 const char *const check_start_bucket = "ADMIN";
1658 const std::string username("sm_test_15_username");
1659 PolicyRequest addPolicyRequest;
1660 CynaraTestAdmin::Admin admin;
1671 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1673 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
1677 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1678 if (pid != 0)//parent process
1680 FdUniquePtr pipeptr(pipefd+1);
1683 register_current_process_as_privilege_manager(user.getUid(), true);
1685 //send info to child
1686 msg.uid = user.getUid();
1687 msg.gid = user.getGid();
1689 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1690 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1693 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1695 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
1696 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1700 FdUniquePtr pipeptr(pipefd);
1703 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1704 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1706 //become admin privacy manager manager
1707 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1708 result = drop_root_privileges(msg.uid, msg.gid);
1709 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1711 // use wildcard as appId
1712 PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1713 entry.setMaxLevel("Allow");
1715 addPolicyRequest.addEntry(entry);
1716 Api::sendPolicy(addPolicyRequest);
1721 RUNNER_MULTIPROCESS_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
1723 const char *const update_app_id = "security_manager_15_update_app_id";
1724 const char *const update_privilege = "http://tizen.org/privilege/led";
1725 const char *const check_start_bucket = "";
1726 const std::string username("sm_test_15_username");
1727 PolicyRequest addPolicyRequest;
1728 CynaraTestAdmin::Admin admin;
1739 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1741 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1745 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1746 if (pid != 0)//parent process
1748 FdUniquePtr pipeptr(pipefd+1);
1751 register_current_process_as_privilege_manager(user.getUid(), false);
1753 //send info to child
1754 msg.uid = user.getUid();
1755 msg.gid = user.getGid();
1757 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1758 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1761 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1763 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
1764 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1768 FdUniquePtr pipeptr(pipefd);
1771 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1772 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1774 //become admin privacy manager manager
1775 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1776 result = drop_root_privileges(msg.uid, msg.gid);
1777 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1779 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1780 entry.setLevel("Allow");
1782 addPolicyRequest.addEntry(entry);
1783 Api::sendPolicy(addPolicyRequest);
1788 RUNNER_MULTIPROCESS_TEST(security_manager_16_policy_levels_get)
1790 const std::string username("sm_test_16_user_cynara_policy");
1791 CynaraTestAdmin::Admin admin;
1801 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1803 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1807 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1808 if (pid != 0)//parent process
1810 FdUniquePtr pipeptr(pipefd+1);
1813 //send info to child
1814 msg.uid = user.getUid();
1815 msg.gid = user.getGid();
1817 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1818 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1821 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1827 std::string allow_policy, deny_policy;
1829 FdUniquePtr pipeptr(pipefd);
1832 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1833 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1835 //become admin privacy manager manager
1836 result = drop_root_privileges(msg.uid, msg.gid);
1837 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1839 // without plugins there should only be 2 policies - Allow and Deny
1840 ret = security_manager_policy_levels_get(&levels, &count);
1842 RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
1843 "Invlid return code: " << ret);
1845 RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast<int>(count));
1847 deny_policy = std::string(levels[0]);
1848 allow_policy = std::string(levels[count-1]);
1850 // first should always be Deny
1851 RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
1852 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
1854 // last should always be Allow
1855 RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
1856 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
1858 security_manager_policy_levels_free(levels, count);
1863 RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
1865 const char *const update_app_id = "security_manager_17_update_app_id";
1866 const char *const update_privilege = "http://tizen.org/privilege/led";
1867 const char *const check_start_bucket = "";
1868 const std::string username("sm_test_17_username");
1869 PolicyRequest addPolicyRequest;
1870 CynaraTestAdmin::Admin admin;
1882 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1883 RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
1885 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1889 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1890 if (pid != 0)//parent process
1892 FdUniquePtr pipeptr(pipefd+1);
1895 register_current_process_as_privilege_manager(user.getUid(), false);
1897 //send info to child
1898 msg.uid = user.getUid();
1899 msg.gid = user.getGid();
1901 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1902 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1905 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1907 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
1908 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1911 if (pid != 0)//parent process
1913 FdUniquePtr pipeptr(pipefd2+1);
1916 //send info to child
1917 msg.uid = user.getUid();
1918 msg.gid = user.getGid();
1920 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
1921 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1924 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
1927 waitpid(-1, &result, 0);
1929 admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
1930 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
1934 FdUniquePtr pipeptr(pipefd2);
1937 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
1938 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1940 //become admin privacy manager manager
1941 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1942 result = drop_root_privileges(msg.uid, msg.gid);
1943 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1945 // delete this entry
1946 PolicyRequest deletePolicyRequest;
1947 PolicyEntry deleteEntry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1948 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
1950 deletePolicyRequest.addEntry(deleteEntry);
1951 Api::sendPolicy(deletePolicyRequest);
1957 FdUniquePtr pipeptr(pipefd);
1960 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1961 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1963 //become admin privacy manager manager
1964 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1965 result = drop_root_privileges(msg.uid, msg.gid);
1966 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1968 PolicyEntry entry(update_app_id, std::to_string(static_cast<int>(msg.uid)), update_privilege);
1969 entry.setLevel("Allow");
1971 addPolicyRequest.addEntry(entry);
1972 Api::sendPolicy(addPolicyRequest);
1977 RUNNER_MULTIPROCESS_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
1979 const std::string username("sm_test_17_user_name");
1984 unsigned int privileges_count;
1991 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1994 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1995 if (pid != 0)//parent process
1997 FdUniquePtr pipeptr(pipefd+1);
2000 TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
2003 unsigned int privileges_count = 0;
2005 register_current_process_as_privilege_manager(user.getUid(), false);
2006 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
2009 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
2010 InstallRequest requestInst;
2011 requestInst.setAppId(MANY_APPS[i].c_str());
2012 requestInst.setPkgId(MANY_APPS_PKGS.at(MANY_APPS[i]).c_str());
2013 requestInst.setUid(user.getUid());
2015 for (auto &priv : MANY_APPS_PRIVILEGES.at(i)) {
2016 requestInst.addPrivilege(priv.c_str());
2019 Api::install(requestInst);
2020 privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
2023 //send info to child
2024 msg.uid = user.getUid();
2025 msg.gid = user.getGid();
2026 msg.privileges_count = privileges_count;
2028 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
2029 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
2032 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
2036 FdUniquePtr pipeptr(pipefd);
2039 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
2040 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
2042 //become admin privacy manager manager
2043 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
2044 result = drop_root_privileges(msg.uid, msg.gid);
2045 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
2047 // filter by privilege
2048 std::vector<PolicyEntry> policyEntries;
2049 PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
2050 Api::getPolicy(filter, policyEntries);
2052 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2053 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
2055 // filter by other privilege
2056 policyEntries.clear();
2057 PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
2058 Api::getPolicy(filter2, policyEntries);
2060 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2061 RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
2064 policyEntries.clear();
2065 PolicyEntry filter3(MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
2066 Api::getPolicy(filter3, policyEntries);
2068 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
2069 RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
2073 RUNNER_CHILD_TEST(security_manager_10_user_cynara_policy)
2075 const char *const MAIN_BUCKET = "MAIN";
2076 const char *const MANIFESTS_BUCKET = "MANIFESTS";
2077 const char *const ADMIN_BUCKET = "ADMIN";
2078 const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
2079 const std::string username("sm_test_10_user_cynara_policy");
2080 CynaraTestAdmin::Admin admin;
2081 std::string uid_string;
2082 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2084 user.getUidString(uid_string);
2086 CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
2087 nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
2088 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
2091 CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
2093 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2094 admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2095 admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2096 admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
2099 RUNNER_CHILD_TEST(security_manager_11_security_manager_cmd_install)
2102 const int SUCCESS = 0;
2103 const int FAILURE = 256;
2104 const std::string app_id = "security_manager_10_app";
2105 const std::string pkg_id = "security_manager_10_pkg";
2106 const std::string username("sm_test_10_user_name");
2107 std::string uid_string;
2108 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2110 user.getUidString(uid_string);
2111 const std::string path1 = appDirPath(user, app_id, pkg_id) + "/p1";
2112 const std::string path2 = appDirPath(user, app_id, pkg_id) + "/p2";
2113 const std::string pkgopt = " --pkg=" + pkg_id;
2114 const std::string appopt = " --app=" + app_id;
2115 const std::string uidopt = " --uid=" + uid_string;
2117 mktreeSafe(path1.c_str(), 0);
2118 mktreeSafe(path2.c_str(), 0);
2120 const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
2123 std::string command;
2124 int expected_result;
2126 std::vector<struct operation> operations = {
2127 {"security-manager-cmd", FAILURE},//no option
2128 {"security-manager-cmd --blah", FAILURE},//blah option is not known
2129 {"security-manager-cmd --help", SUCCESS},
2130 {"security-manager-cmd --install", FAILURE},//no params
2131 {"security-manager-cmd -i", FAILURE},//no params
2132 {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
2133 {installcmd, SUCCESS},
2134 {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
2135 {installcmd + " --path " + path1 + " writable", SUCCESS},
2136 {installcmd + " --path " + path1, FAILURE},//no path type
2137 {installcmd + " --path " + path1 + " writable" + " --path " + path2 + " readable", SUCCESS},
2138 {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " readable", FAILURE},//wrong path type
2139 {installcmd + " --path " + path1 + " writable" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
2142 for (auto &op : operations) {
2143 ret = system(op.command.c_str());
2144 RUNNER_ASSERT_MSG(ret == op.expected_result,
2145 "Unexpected result for command '" << op.command <<"': "
2146 << ret << " Expected was: "<< op.expected_result);
2150 RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users)
2153 const int SUCCESS = 0;
2154 const int FAILURE = 256;
2155 const std::string username("sm_test_11_user_name");
2156 std::string uid_string;
2157 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
2159 user.getUidString(uid_string);
2160 const std::string uidopt = " --uid=" + uid_string;
2163 std::string command;
2164 int expected_result;
2166 std::vector<struct operation> operations = {
2167 {"security-manager-cmd --manage-users=remove", FAILURE},//no params
2168 {"security-manager-cmd -m", FAILURE},//no params
2169 {"security-manager-cmd -mr", FAILURE},//no uid
2170 {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
2171 {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
2172 {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
2173 {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
2174 {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
2175 {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
2176 {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
2177 {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
2180 for (auto &op : operations) {
2181 ret = system(op.command.c_str());
2182 RUNNER_ASSERT_MSG(ret == op.expected_result,
2183 "Unexpected result for command '" << op.command <<"': "
2184 << ret << " Expected was: "<< op.expected_result);
2188 RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
2190 const int BUFFER_SIZE = 128;
2194 char buf[BUFFER_SIZE];
2197 privileges_t admin_required_privs = {
2198 "http://tizen.org/privilege/systemsettings.admin",
2199 "http://tizen.org/privilege/systemsettings"};
2200 privileges_t manifest_privs = {
2201 "http://tizen.org/privilege/internet",
2202 "http://tizen.org/privilege/camera"};
2203 privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
2204 privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
2206 const std::string pirivman_id = "sm_test_13_ADMIN_APP";
2207 const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
2208 const std::string app_id = "sm_test_13_SOME_APP";
2209 const std::string pkg_id = "sm_test_13_SOME_PKG";
2215 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
2217 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
2218 if (pid != 0)//parent process
2220 std::string childuidstr;
2221 TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
2222 TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
2224 InstallRequest request,request2;
2225 FdUniquePtr pipeptr(pipefd+1);
2230 child.getUidString(childuidstr);
2232 //install privacy manager for admin
2233 request.setAppId(pirivman_id.c_str());
2234 request.setPkgId(pirivman_pkg_id.c_str());
2235 request.setUid(admin.getUid());
2236 for (auto &priv: admin_required_privs)
2237 request.addPrivilege(priv.c_str());
2238 Api::install(request);
2240 //install app for child that has internet privilege
2241 request2.setAppId(app_id.c_str());
2242 request2.setPkgId(pkg_id.c_str());
2243 request2.setUid(child.getUid());
2244 for (auto &priv: manifest_privs)
2245 request2.addPrivilege(priv.c_str());
2246 Api::install(request2);
2248 check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
2249 manifest_privs, SM_NO_PRIVILEGES);
2251 //send info to child
2252 msg.uid = admin.getUid();
2253 msg.gid = admin.getGid();
2254 strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
2256 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
2257 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
2260 RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
2262 check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
2263 real_privs_allow, real_privs_deny);
2265 if (pid == 0)//child
2267 FdUniquePtr pipeptr(pipefd);
2270 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
2271 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
2273 //become admin privacy manager manager
2274 Api::setProcessLabel(pirivman_id.c_str());
2275 result = drop_root_privileges(msg.uid, msg.gid);
2276 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
2277 PolicyRequest addPolicyReq;
2279 for (auto &denypriv:real_privs_deny) {
2280 /*this entry will deny some privileges for user whose uid (as c string)
2281 was sent in message's buf field.
2282 That user would be denying internet for child in this case*/
2283 PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
2284 entry.setMaxLevel("Deny");
2285 addPolicyReq.addEntry(entry);
2287 Api::sendPolicy(addPolicyReq);
2292 int main(int argc, char *argv[])
2294 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);