2 * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include <linux/xattr.h>
22 #include <sys/capability.h>
23 #include <sys/smack.h>
24 #include <sys/types.h>
27 #include <cynara-admin.h>
29 #include <cynara_test_admin.h>
30 #include <dpl/test/test_runner.h>
31 #include <label_generator.h>
32 #include <message_pipe.h>
33 #include <policy_configuration.h>
34 #include <scoped_installer.h>
35 #include <service_manager.h>
37 #include <sm_commons.h>
38 #include <sm_request.h>
39 #include <synchronization_pipe.h>
40 #include <temp_test_user.h>
41 #include <tests_common.h>
42 #include <tzplatform.h>
44 #include <scoped_process_label.h>
45 #include <scoped_app_launcher.h>
46 #include <app_install_helper_ext.h>
47 #include <privilege_names.h>
48 #include <app_def_privilege.h>
50 using namespace SecurityManagerTest;
51 using namespace PrivilegeNames;
53 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
55 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
57 AppInstallHelperExt app("sm_test_01a_app");
59 ScopedInstaller appInstall(app);
60 app.checkAfterInstall();
62 ScopedInstaller appInstall2(app);
63 app.checkAfterInstall();
65 app.checkAfterUninstall();
69 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
71 AppInstallHelperExt app("sm_test_01b");
73 ScopedInstaller appInstall(app);
75 InstallRequest requestInst2;
76 requestInst2.setAppId(app.getAppId());
77 requestInst2.setPkgId(app.getPkgId() + "_wrong");
79 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
81 app.checkAfterInstall();
83 app.checkAfterUninstall();
86 RUNNER_TEST(security_manager_01c_app_uninstall_wrong_pkg_id)
88 AppInstallHelperExt app("sm_test_01c");
89 ScopedInstaller appInstall(app);
91 app.checkAfterInstall();
93 InstallRequest requestUninst;
94 requestUninst.setAppId(app.getAppId());
95 requestUninst.setPkgId(app.getPkgId() + "_wrong_pkg_id");
97 Api::uninstall(requestUninst, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
101 * This test uses files installed with security-tests package
103 RUNNER_TEST(security_manager_01d_app_install_complicated_dir_tree)
105 const std::string appId = "sm_test_01d_app_id_full";
106 const std::string pkgId = "sm_test_01d_pkg_id_full";
108 const std::string rootDir = TzPlatformConfig::globalAppDir() + "/" + pkgId + "/";
109 const std::string privateDir = rootDir + "app_dir/";
110 const std::string privateRODir = rootDir + "app_dir_ro/";
111 const std::string publicRODir = rootDir + "app_dir_public_ro/";
112 const std::string sharedRODir = rootDir + "app_dir_rw_others_ro/";
114 int result = nftw(rootDir.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
115 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << rootDir);
117 InstallRequest requestInst;
118 requestInst.setAppId(appId);
119 requestInst.setPkgId(pkgId);
120 requestInst.addPath(privateDir, SECURITY_MANAGER_PATH_RW);
121 requestInst.addPath(privateRODir, SECURITY_MANAGER_PATH_RO);
122 requestInst.addPath(publicRODir, SECURITY_MANAGER_PATH_PUBLIC_RO);
123 requestInst.addPath(sharedRODir, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
124 Api::install(requestInst);
126 std::unique_ptr<InstallRequest, std::function<void(InstallRequest*)>> appCleanup(&requestInst,
127 [](InstallRequest *req) {
128 Api::uninstall(*req);
131 check_path(privateDir, generatePathRWLabel(pkgId));
132 check_path(privateRODir, generatePathROLabel(pkgId), false);
133 check_path(publicRODir, getPublicPathLabel());
134 check_path(sharedRODir, getSharedROPathLabel());
137 RUNNER_CHILD_TEST(security_manager_02_app_install_uninstall_full)
139 const PrivilegeVector defaultPrivs = {
141 PRIV_INTERNAL_DISPLAY,
144 const PrivilegeVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE};
145 const PrivilegeVector someDeniedPrivs = {PRIV_INTERNET, PRIV_EXTERNALSTORAGE};
147 PrivilegeVector defaultAllowedPrivs = defaultPrivs;
148 defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
150 AppInstallHelperExt app("sm_test_02");
151 app.createPrivateDir();
152 app.createPrivateRODir();
153 app.createPublicDir();
154 app.createSharedRODir();
155 app.addPrivileges(allowedPrivs);
157 ScopedInstaller appInstall(app);
159 app.checkAfterInstall();
160 app.checkDeniedPrivileges(someDeniedPrivs);
162 ScopedAppLauncher launcher(app, [&]{ app.checkGroupPrivileges(defaultAllowedPrivs); });
165 check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
166 check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
167 check_path(app.getPublicDir(), getPublicPathLabel());
168 check_path(app.getSharedRODir(), getSharedROPathLabel());
171 app.checkAfterUninstall();
174 RUNNER_CHILD_TEST(security_manager_02a_set_process_groups)
176 const PrivilegeVector defaultPrivs = {
178 PRIV_INTERNAL_DISPLAY,
181 const PrivilegeVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE};
183 auto defaultAllowedPrivs = defaultPrivs;
184 defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
186 AppInstallHelperExt app("sm_test_02a");
187 app.addPrivileges(allowedPrivs);
189 ScopedInstaller appInstall(app);
191 app.checkAfterInstall();
194 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
198 Api::setProcessGroups(app.getAppId());
199 app.checkGroupPrivileges(defaultAllowedPrivs);
203 app.checkAfterUninstall();
206 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
208 std::string expectedSockLabel = "labelExpectedOnlyFromSocket";
210 AppInstallHelper app("sm_test_03a");
211 std::string expectedProcLabel = generateProcessLabel(app.getAppId(), app.getPkgId());
213 const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03a.socket");
214 int sock = UDSHelpers::createServer(&sockaddr);
215 SockUniquePtr sockPtr(&sock);
217 //Set socket label to something different than expeced process label
218 int result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, expectedSockLabel.c_str());
219 RUNNER_ASSERT_ERRNO_MSG(result == 0,
220 "Can't set socket label. Result: " << result);
221 result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, expectedSockLabel.c_str());
222 RUNNER_ASSERT_ERRNO_MSG(result == 0,
223 "Can't set socket label. Result: " << result);
225 ScopedInstaller appInstall(app);
228 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
229 if (pid == 0) { // child
230 Api::setProcessLabel(app.getAppId());
232 char *label = nullptr;
234 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
235 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
236 labelPtr.reset(label);
237 result = expectedSockLabel.compare(label);
238 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
239 expectedProcLabel << " Actual: " << label);
241 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
242 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
243 labelPtr.reset(label);
244 result = expectedSockLabel.compare(label);
245 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
246 expectedProcLabel << " Actual: " << label);
248 result = smack_new_label_from_self(&label);
249 RUNNER_ASSERT_MSG(result >= 0,
250 " Error getting current process label");
251 RUNNER_ASSERT_MSG(label != nullptr,
252 " Process label is not set");
253 labelPtr.reset(label);
255 result = expectedProcLabel.compare(label);
256 RUNNER_ASSERT_MSG(result == 0,
257 " Process label is incorrect. Expected: \"" << expectedProcLabel <<
258 "\" Actual: \"" << label << "\"");
264 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
266 const PrivilegeVector allowedPrivs = {PRIV_BLUETOOTH, PRIV_POWER};
267 const PrivilegeVector someDeniedPrivs = {PRIV_DISPLAY, PRIV_NFC};
269 TemporaryTestUser testUser("sm_test_04a_user_name", GUM_USERTYPE_NORMAL);
272 AppInstallHelperExt app("sm_test_04a", testUser.getUid());
273 app.addPrivileges(allowedPrivs);
275 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
276 "drop_root_privileges failed");
278 ScopedInstaller appInstall(app, false);
279 app.checkAfterInstall();
280 app.checkDeniedPrivileges(someDeniedPrivs);
282 app.checkAfterUninstall();
283 app.checkDeniedPrivileges(someDeniedPrivs);
286 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) {
287 const PrivilegeVector allowedPrivs = {PRIV_INTERNET, PRIV_LED};
288 const PrivilegeVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION};
290 TemporaryTestUser testUser("sm_test_04b_user_name", GUM_USERTYPE_NORMAL);
293 AppInstallHelperExt app("sm_test_04b", testUser.getUid());
294 app.addPrivileges(allowedPrivs);
297 ScopedInstaller appInstall(app);
298 app.checkAfterInstall();
299 app.checkDeniedPrivileges(someDeniedPrivs);
301 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
302 "drop_root_privileges failed");
304 app.checkAfterUninstall();
305 app.checkDeniedPrivileges(someDeniedPrivs);
308 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
311 CapsSetsUniquePtr caps_empty(cap_init());
312 auto caps = setCaps("all=eip");
313 Api::dropProcessPrivileges();
315 caps.reset(cap_get_proc());
316 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
318 result = cap_compare(caps.get(), caps_empty.get());
319 RUNNER_ASSERT_MSG(result == 0,
320 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
323 RUNNER_TEST(security_manager_06_install_app_offline)
325 ServiceManager("security-manager.service").stopService();
327 ServiceManager serviceManager("security-manager.socket");
328 serviceManager.stopService();
330 AppInstallHelper app("sm_test_06");
331 ScopedInstaller appInstall(app);
332 // TODO - check if app is installed properly
333 // start service before uninstall, offline mode doesn't support uninstall
334 serviceManager.startService();
335 appInstall.uninstallApp();
336 // TODO - check if app is uninstalled properly
339 RUNNER_CHILD_TEST(security_manager_07a_user_add_app_install)
341 const PrivilegeVector allowedPrivs = {PRIV_INTERNET, PRIV_LED};
342 const PrivilegeVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION};
344 TemporaryTestUser testUser("sm_test_07a_user_name", GUM_USERTYPE_NORMAL);
347 AppInstallHelperExt app("sm_test_07a", testUser.getUid());
348 app.addPrivileges(allowedPrivs);
351 req.setAppId(app.getAppId());
352 req.setPkgId(app.getPkgId());
353 req.setUid(app.getUID());
354 for (const auto &priv: app.getPrivileges()) {
355 req.addPrivilege(priv);
358 app.checkAfterInstall();
359 app.checkDeniedPrivileges(someDeniedPrivs);
363 app.checkAfterUninstall();
364 app.checkDeniedPrivileges(someDeniedPrivs);
367 RUNNER_TEST(security_manager_07b_user_add_offline)
369 ServiceManager("security-manager.service").stopService();
371 ServiceManager serviceManager("security-manager.socket");
372 serviceManager.stopService();
374 TemporaryTestUser testUser("sm_test_07b_user_name", GUM_USERTYPE_NORMAL, true);
377 AppInstallHelperExt app("sm_test_07b", testUser.getUid());
378 ScopedInstaller appInstall(app);
380 serviceManager.startService();
381 app.checkAfterInstall();
384 app.checkAfterUninstall();
387 RUNNER_TEST(security_manager_08_user_double_add_double_remove)
389 const PrivilegeVector somePrivs = {PRIV_LED, PRIV_NOTIFICATION};
392 TemporaryTestUser testUser("sm_test_08_user_name", GUM_USERTYPE_NORMAL);
396 UserRequest addUserRequest;
397 addUserRequest.setUid(testUser.getUid());
398 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
399 Api::addUser(addUserRequest);
401 AppInstallHelperExt app("sm_test_08", testUser.getUid());
402 ScopedInstaller appInstall(app);
404 app.checkAfterInstall();
405 app.checkDeniedPrivileges(somePrivs);
410 app.checkAfterUninstall();
413 UserRequest deleteUserRequest;
414 deleteUserRequest.setUid(testUser.getUid());
415 Api::deleteUser(deleteUserRequest);
418 RUNNER_TEST(security_manager_09_app_install_constraint_check)
420 auto install = [](const AppInstallHelperExt& app, bool success)
422 auto expected = success ? SECURITY_MANAGER_SUCCESS : SECURITY_MANAGER_ERROR_INPUT_PARAM;
423 ScopedInstaller appInstall(app, true, expected);
425 app.checkAfterInstall();
429 auto update = [](const AppInstallHelperExt& app)
431 InstallRequest request;
432 request.setAppId(app.getAppId());
433 request.setPkgId(app.getPkgId());
434 request.setAppTizenVersion(app.getVersion());
435 request.setAuthorId(app.getAuthor());
436 request.setUid(app.getUID());
437 if (app.getIsHybrid())
439 Api::update(request);
442 TemporaryTestUser users[] = {
443 {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
444 {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
447 for (auto& gu : users)
450 const char *const pkgIdPrefix[] = {"sm_test_09_0", "sm_test_09_1"};
451 const char *const appIdPrefix[] = {"sm_test_09_0", "sm_test_09_1"};
452 const char *const version[] = {"sm_test_09_0_version", "sm_test_09_1_version"};
453 const char *const author[] = {"sm_test_09_0_author", "sm_test_09_1_author"};
454 bool hybrid[] = {false, true};
456 std::list<AppInstallHelperExt> apps;
458 auto make_helper = [&](size_t userIdx,
463 size_t hybridIdx) -> AppInstallHelperExt&
465 apps.emplace_back(appIdPrefix[appIdx], pkgIdPrefix[pkgIdx], users[userIdx].getUid());
466 apps.back().setAuthor(author[authorIdx]);
467 apps.back().setVersion(version[verIdx]);
468 if (hybrid[hybridIdx])
469 apps.back().setHybrid();
473 // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok
474 auto &app000000 = make_helper(0, 0, 0, 0, 0, 0);
475 auto i1 = install(app000000, true);
477 // uid_1, pkg_0, app_0, version_0, author_0, not hybrid -> ok (different uid)
478 auto& app100000 = make_helper(1, 0, 0, 0, 0, 0);
479 install(app100000, true);
481 // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> conflicts with existing non hybrid app
482 auto& app000001 = make_helper(0, 0, 0, 0, 0, 1);
483 install(app000001, false);
485 // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok (app updated to hybrid)
488 // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok (app installed again)
489 auto i2 = install(app000001, true);
491 // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> conflicts with existing hybrid app
492 install(app000000, false);
494 // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> ok (new app id)
495 auto& app001001 = make_helper(0, 0, 1, 0, 0, 1);
496 auto i3 = install(app001001, true);
498 // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> ok (hybrid, different uid)
499 auto& app100001 = make_helper(1, 0, 0, 0, 0, 1);
500 auto i4 = install(app100001, true);
502 // uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> author of app_0 must be the same
503 auto& app100010 = make_helper(1, 0, 0, 0, 1, 0);
504 install(app100010, false);
506 // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (app version and hybridity changed)
507 auto& app100100 = make_helper(1, 0, 0, 1, 0, 0);
510 // uid_1, pkg_1, app_0, version_1, author_0, not hybrid -> pkg of app_0 must be the same
511 auto& app110100 = make_helper(1, 1, 0, 1, 0, 0);
512 install(app110100, false);
514 for (auto& gu : users)
517 RUNNER_IGNORED_MSG("Disabled until hybridity update works properly for all users");
518 for (auto& app : apps)
519 app.checkAfterUninstall();
522 RUNNER_TEST(security_manager_09a_install_many_apps_in_single_request)
524 constexpr char pkgIdPrefix[] = "sm_test_09a";
525 const AppInstallHelperExt apps[] = {{"sm_test_09a_0", pkgIdPrefix},
526 {"sm_test_09a_1", pkgIdPrefix},
527 {"sm_test_09a_2", pkgIdPrefix}};
528 static_assert(sizeof(apps) > 0);
530 std::vector<std::string> appIds;
531 for (auto &app : apps)
532 appIds.push_back(app.getAppId());
535 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
536 // Installing many applications in single request
537 for (auto &app : apps) {
538 app.checkAfterInstall();
542 for (auto &app : apps) {
543 app.checkAfterUninstall();
547 RUNNER_TEST(security_manager_09b_install_many_apps_in_single_request_duplicated_ids)
549 AppInstallHelperExt app("sm_test_09b");
551 ScopedInstaller appsInstall({app.getAppId(), app.getAppId()}, app.getPkgId());
552 app.checkAfterInstall();
555 app.checkAfterUninstall();
558 RUNNER_TEST(security_manager_09c_update_many_apps_in_single_request_hybrid_package)
560 constexpr char pkgIdPrefix[] = "sm_test_09c";
561 AppInstallHelperExt apps[] = {{"sm_test_09c_0", pkgIdPrefix},
562 {"sm_test_09c_1", pkgIdPrefix},
563 {"sm_test_09c_2", pkgIdPrefix}};
564 static_assert(sizeof(apps) > 0);
566 std::vector<std::string> appIds;
567 for (const auto &app : apps)
568 appIds.push_back(app.getAppId());
571 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
572 // Package is not hybrid, every app has same policy.
573 for (const auto &app : apps) {
574 app.checkAfterInstall();
577 // Updating package -- changing set of apps in package and setting hybrid mode
578 InstallRequest updateRequest;
579 updateRequest.setPkgId(apps[0].getPkgId());
580 updateRequest.setAppId(appIds[0]);
581 updateRequest.nextApp();
582 updateRequest.setAppId(appIds[1]);
583 updateRequest.setHybrid();
585 Api::update(updateRequest);
587 // Package became hybrid, so every app has its own Smack label
588 for (auto &app : apps) {
591 apps[0].checkAfterInstall();
592 apps[1].checkAfterInstall();
594 // Package became hybrid properly,
595 // so app not included in updated version of package was uninstalled.
596 apps[2].checkAfterUninstall(false);
599 for (const auto &app : apps) {
600 app.checkAfterUninstall();
604 RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package)
606 constexpr char pkgIdPrefix[] = "sm_test_09d";
607 AppInstallHelperExt apps[] = {{"sm_test_09d_0", pkgIdPrefix},
608 {"sm_test_09d_1", pkgIdPrefix},
609 {"sm_test_09d_2", pkgIdPrefix}};
610 static_assert(sizeof(apps) > 0);
612 std::vector<std::string> appIds;
613 for (const auto &app : apps)
614 appIds.push_back(app.getAppId());
617 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
619 InstallRequest updateRequest;
620 updateRequest.setPkgId(apps[0].getPkgId());
621 for (unsigned int i = 0; i < appIds.size(); i++) {
623 updateRequest.nextApp();
625 updateRequest.setAppId(appIds[i]);
627 updateRequest.setHybrid();
628 Api::update(updateRequest);
630 InstallRequest uninstRequest;
631 uninstRequest.setPkgId(apps[0].getPkgId());
632 uninstRequest.setAppId(appIds[0]);
633 Api::uninstall(uninstRequest);
635 for (auto &app : apps) {
638 apps[0].checkAfterUninstall(false);
640 for (const auto &app : apps) {
641 app.checkAfterUninstall();
645 RUNNER_CHILD_TEST(security_manager_10_app_has_privilege)
647 const PrivilegeVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY};
648 const PrivilegeVector someDeniedPrivs = {PRIV_VPNSERVICE, PRIV_NOTIFICATION};
650 AppInstallHelperExt app("sm_test_10");
651 app.addPrivileges(allowedPrivs);
652 ScopedInstaller appInstall(app);
654 app.checkAfterInstall();
655 app.checkDeniedPrivileges(someDeniedPrivs);
656 // FIXME - all other existing privileges should be checked
659 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY)
661 RUNNER_TEST(security_manager_20_user_cynara_policy)
663 // FIXME - whitebox - cynara
664 const char *const MAIN_BUCKET = "MAIN";
665 const char *const MANIFESTS_GLOBAL_BUCKET = "MANIFESTS_GLOBAL";
666 const char *const MANIFESTS_LOCAL_BUCKET = "MANIFESTS_LOCAL";
667 const char *const ADMIN_BUCKET = "ADMIN";
668 const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
669 CynaraTestAdmin::Admin admin;
671 TemporaryTestUser user("sm_test_20_user_name", GUM_USERTYPE_NORMAL, false);
673 std::string uid_string = user.getUidString();
675 CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
676 nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
677 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
680 CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
682 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
683 admin.listPolicies(MANIFESTS_GLOBAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
684 admin.listPolicies(MANIFESTS_LOCAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
685 admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
686 admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
689 RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
691 const PrivilegeVector adminRequiredPrivs = {PRIV_NOTEXIST, PRIV_INTERNAL_USERMANAGEMENT};
692 const PrivilegeVector manifestPrivs = {PRIV_INTERNET, PRIV_DATASHARING};
693 const PrivilegeVector allowedPrivsAfterChange = {PRIV_DATASHARING};
694 const PrivilegeVector deniedPrivsAfterChange = {PRIV_INTERNET};
696 TemporaryTestUser adminUser("sm_test_21_admin_user_name", GUM_USERTYPE_ADMIN, false);
697 TemporaryTestUser normalUser("sm_test_21_normal_user_name", GUM_USERTYPE_NORMAL, false);
702 AppInstallHelper adminApp("sm_test_21_admin", adminUser.getUid());
703 adminApp.addPrivileges(adminRequiredPrivs);
704 ScopedInstaller adminAppInstall(adminApp);
706 AppInstallHelperExt normalApp("sm_test_21_normal", normalUser.getUid());
707 normalApp.addPrivileges(manifestPrivs);
708 ScopedInstaller normalAppInstall(normalApp);
709 normalApp.checkAfterInstall();
712 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
713 if (pid != 0) { //parent process
715 normalApp.checkPrivileges(allowedPrivsAfterChange, deniedPrivsAfterChange);
717 Api::setProcessLabel(adminApp.getAppId());
718 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(),adminUser.getGid()) == 0,
719 "drop_root_privileges failed");
721 PolicyRequest addPolicyReq;
722 for (auto &deniedPriv : deniedPrivsAfterChange) {
723 PolicyEntry entry(SECURITY_MANAGER_ANY, normalUser.getUidString(), deniedPriv);
724 entry.setMaxLevel(PolicyEntry::LEVEL_DENY);
725 addPolicyReq.addEntry(entry);
727 Api::sendPolicy(addPolicyReq);
732 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
734 RUNNER_TEST(security_manager_22_security_manager_cmd_install)
737 const int SUCCESS = 0;
738 const int FAILURE = 256;
739 const std::string app_id = "sm_test_22_app_id";
740 const std::string pkg_id = "sm_test_22_pkg_id";
741 const std::string username("sm_test_22_user_name");
743 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL);
746 const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
747 const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
748 const std::string pkgopt = " --pkg=" + pkg_id;
749 const std::string appopt = " --app=" + app_id;
750 const std::string uidopt = " --uid=" + user.getUidString();
752 mktreeSafe(path1, 0);
753 mktreeSafe(path2, 0);
755 const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
761 std::vector<struct operation> operations = {
762 {"security-manager-cmd", FAILURE},//no option
763 {"security-manager-cmd --blah", FAILURE},//blah option is not known
764 {"security-manager-cmd --help", SUCCESS},
765 {"security-manager-cmd --install", FAILURE},//no params
766 {"security-manager-cmd -i", FAILURE},//no params
767 {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
768 {installcmd, SUCCESS},
769 {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
770 {installcmd + " --path " + path1 + " rw", SUCCESS},
771 {installcmd + " --path " + path1, FAILURE},//no path type
772 {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
773 {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
774 {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
777 for (auto &op : operations) {
778 ret = system((op.command + " 1>/dev/null 2>&1").c_str());
779 RUNNER_ASSERT_MSG(ret == op.expected_result,
780 "Unexpected result for command '" << op.command <<"': "
781 << ret << " Expected was: "<< op.expected_result);
785 RUNNER_TEST(security_manager_23_security_manager_cmd_users)
787 const int SUCCESS = 0;
788 const int FAILURE = 256;
789 TemporaryTestUser user("sm_test_23_user_name", GUM_USERTYPE_NORMAL, false);
791 const std::string uidopt = " --uid=" + user.getUidString();
797 std::vector<struct operation> operations = {
798 {"security-manager-cmd --manage-users=remove", FAILURE},//no params
799 {"security-manager-cmd -m", FAILURE},//no params
800 {"security-manager-cmd -mr", FAILURE},//no uid
801 {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
802 {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
803 {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
804 {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
805 {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
806 {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
807 {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
808 {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
811 for (auto &op : operations) {
812 int ret = system((op.command + " 1>/dev/null 2>&1").c_str());
813 RUNNER_ASSERT_MSG(ret == op.expected_result,
814 "Unexpected result for command '" << op.command <<"': "
815 << ret << " Expected was: "<< op.expected_result);
819 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
821 RUNNER_TEST(security_manager_24_groups_get)
823 PolicyConfiguration pc;
827 Api::getSecurityManagerGroups(&c_groups, &count);
828 std::unique_ptr<gid_t, decltype(free)*> groupsPtr(c_groups, free);
830 auto policyGroups = pc.getGid();
831 RUNNER_ASSERT_MSG(count == policyGroups.size(), "security_manager_groups_get should set count to: "
832 << policyGroups.size() << " but count is: " << count);
834 for (const auto &group : policyGroups) {
836 for (size_t i = 0; i < count; ++i) {
837 if (group == c_groups[i]) {
842 RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
846 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
848 RUNNER_TEST(security_manager_25a_global_user_set_install_type_global)
850 AppInstallHelperExt app("sm_test_25a");
851 app.setInstallType(SM_APP_INSTALL_GLOBAL);
853 ScopedInstaller appInstall(app);
855 app.checkAfterInstall();
858 // Check records in the security-manager database
859 app.checkAfterUninstall();
862 RUNNER_TEST(security_manager_25b_global_user_set_install_type_local)
864 AppInstallHelper app("sm_test_25b");
866 InstallRequest requestInst;
867 requestInst.setAppId(app.getAppId());
868 requestInst.setPkgId(app.getPkgId());
869 requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
871 Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
874 RUNNER_TEST(security_manager_25c_global_user_set_install_type_preloaded)
876 AppInstallHelperExt app("sm_test_25c");
877 app.setInstallType(SM_APP_INSTALL_PRELOADED);
879 ScopedInstaller appInstall(app);
880 app.checkAfterInstall();
882 app.checkAfterUninstall();
885 RUNNER_TEST(security_manager_25d_local_user_set_install_type_invalid)
887 InstallRequest requestPrivateUser;
888 requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
889 requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
893 * It is possible for local user to install global application but one needs app_install privileges
894 * By default only global user or root can install global apps (or "User", "System", "System::Privileged"...)
896 RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
898 RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
900 TemporaryTestUser testUser("sm_test_25e_user_name", GUM_USERTYPE_NORMAL);
903 AppInstallHelper app("sm_test_25e");
905 ScopedProcessLabel spl("_", false);
906 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
907 "drop_root_privileges failed");
909 InstallRequest invalidReq;
910 invalidReq.setAppId(app.getAppId());
911 invalidReq.setPkgId(app.getPkgId());
912 invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
914 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
917 RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
919 RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
921 TemporaryTestUser testUser("sm_test_25f_user_name", GUM_USERTYPE_NORMAL);
924 AppInstallHelper app("sm_test_25f");
926 ScopedProcessLabel spl("_", false);
927 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
928 "drop_root_privileges failed");
929 InstallRequest invalidReq;
930 invalidReq.setAppId(app.getAppId());
931 invalidReq.setPkgId(app.getPkgId());
932 invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
933 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
936 RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local)
938 const PrivilegeVector allowedPrivs = {PRIV_VOLUME_SET, PRIV_SYSTEMMONITOR, PRIV_INTERNET};
939 const PrivilegeVector someDeniedPrivs = {PRIV_PUSH, PRIV_POWER, PRIV_NOTIFICATION};
941 TemporaryTestUser testUser("sm_test_25g_user_name", GUM_USERTYPE_NORMAL);
944 AppInstallHelperExt app("sm_test_25g", testUser.getUid());
945 app.createPrivateDir();
946 app.setInstallType(SM_APP_INSTALL_LOCAL);
947 app.addPrivileges(allowedPrivs);
949 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
950 "drop_root_privileges failed");
952 ScopedInstaller appInstall(app);
953 app.checkAfterInstall();
954 app.checkDeniedPrivileges(someDeniedPrivs);
956 app.checkAfterUninstall();
959 RUNNER_CHILD_TEST(security_manager_25h_local_path_global_install)
961 TemporaryTestUser testUser("sm_test_25h_user_name", GUM_USERTYPE_NORMAL);
964 AppInstallHelper app("sm_test_25h", testUser.getUid());
965 app.createPrivateDir();
967 InstallRequest invalidReq;
968 invalidReq.setAppId(app.getAppId());
969 invalidReq.setPkgId(app.getPkgId());
970 invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
971 invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
972 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
975 RUNNER_CHILD_TEST(security_manager_25i_local_path_preloaded_install)
977 TemporaryTestUser testUser("sm_test_25i_user_name", GUM_USERTYPE_NORMAL);
980 AppInstallHelper app("sm_test_25i", testUser.getUid());
981 app.createPrivateDir();
983 InstallRequest invalidReq;
984 invalidReq.setAppId(app.getAppId());
985 invalidReq.setPkgId(app.getPkgId());
986 invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
987 invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
988 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
991 RUNNER_CHILD_TEST(security_manager_25j_global_path_local_install)
993 TemporaryTestUser testUser("sm_test_25j_user_name", GUM_USERTYPE_NORMAL);
996 AppInstallHelper appLocal("sm_test_25j", testUser.getUid());
998 AppInstallHelper appGlobal("sm_test_25");
999 appGlobal.createPrivateDir();
1001 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
1002 "drop_root_privileges failed");
1004 InstallRequest invalidReq;
1005 invalidReq.setAppId(appLocal.getAppId());
1006 invalidReq.setPkgId(appLocal.getPkgId());
1007 invalidReq.addPath(appGlobal.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
1008 invalidReq.setInstallType(SM_APP_INSTALL_LOCAL);
1010 Api::install(invalidReq, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
1013 RUNNER_CHILD_TEST(security_manager_26_hybrid_pkg_uninstall_artifacts_check)
1015 TemporaryTestUser testUser("sm_test_26_user_name", GUM_USERTYPE_NORMAL);
1018 const PrivilegeVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY};
1020 AppInstallHelperExt app1("sm_test_26_1", "sm_test_26", testUser.getUid());
1021 app1.addPrivileges(allowedPrivs);
1024 AppInstallHelperExt app2("sm_test_26_2", "sm_test_26", testUser.getUid());
1025 app2.addPrivileges(allowedPrivs);
1029 ScopedInstaller appInstall1(app1);
1030 ScopedInstaller appInstall2(app2);
1031 app1.checkAfterInstall();
1032 app2.checkAfterInstall();
1035 app1.checkAfterUninstall(false);
1036 app2.checkAfterUninstall();