2 * Copyright (c) 2016 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 // cstdlibg has to be included before attr/xattr
19 #include <attr/xattr.h>
24 #include <sys/capability.h>
25 #include <sys/smack.h>
26 #include <sys/types.h>
29 #include <cynara-admin.h>
31 #include <cynara_test_admin.h>
32 #include <dpl/test/test_runner.h>
33 #include <label_generator.h>
34 #include <message_pipe.h>
35 #include <policy_configuration.h>
36 #include <scoped_installer.h>
37 #include <service_manager.h>
39 #include <sm_commons.h>
40 #include <sm_request.h>
41 #include <synchronization_pipe.h>
42 #include <temp_test_user.h>
43 #include <tests_common.h>
44 #include <tzplatform.h>
46 #include <scoped_process_label.h>
47 #include <scoped_app_launcher.h>
48 #include <app_install_helper_ext.h>
49 #include <privilege_names.h>
50 #include <app_def_privilege.h>
52 using namespace SecurityManagerTest;
53 using namespace PrivilegeNames;
55 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
57 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
59 AppInstallHelperExt app("sm_test_01a_app");
61 ScopedInstaller appInstall(app);
62 app.checkAfterInstall();
64 ScopedInstaller appInstall2(app);
65 app.checkAfterInstall();
67 app.checkAfterUninstall();
71 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
73 AppInstallHelperExt app("sm_test_01b");
75 ScopedInstaller appInstall(app);
77 InstallRequest requestInst2;
78 requestInst2.setAppId(app.getAppId());
79 requestInst2.setPkgId(app.getPkgId() + "_wrong");
81 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
83 app.checkAfterInstall();
85 app.checkAfterUninstall();
88 RUNNER_TEST(security_manager_01c_app_uninstall_wrong_pkg_id)
90 AppInstallHelperExt app("sm_test_01c");
91 ScopedInstaller appInstall(app);
93 app.checkAfterInstall();
95 InstallRequest requestUninst;
96 requestUninst.setAppId(app.getAppId());
97 requestUninst.setPkgId(app.getPkgId() + "_wrong_pkg_id");
99 Api::uninstall(requestUninst, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
103 * This test uses files installed with security-tests package
105 RUNNER_TEST(security_manager_01d_app_install_complicated_dir_tree)
107 const std::string appId = "sm_test_01d_app_id_full";
108 const std::string pkgId = "sm_test_01d_pkg_id_full";
110 const std::string rootDir = TzPlatformConfig::globalAppDir() + "/" + pkgId + "/";
111 const std::string privateDir = rootDir + "app_dir/";
112 const std::string privateRODir = rootDir + "app_dir_ro/";
113 const std::string publicRODir = rootDir + "app_dir_public_ro/";
114 const std::string sharedRODir = rootDir + "app_dir_rw_others_ro/";
116 int result = nftw(rootDir.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
117 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << rootDir);
119 InstallRequest requestInst;
120 requestInst.setAppId(appId);
121 requestInst.setPkgId(pkgId);
122 requestInst.addPath(privateDir, SECURITY_MANAGER_PATH_RW);
123 requestInst.addPath(privateRODir, SECURITY_MANAGER_PATH_RO);
124 requestInst.addPath(publicRODir, SECURITY_MANAGER_PATH_PUBLIC_RO);
125 requestInst.addPath(sharedRODir, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
126 Api::install(requestInst);
128 std::unique_ptr<InstallRequest, std::function<void(InstallRequest*)>> appCleanup(&requestInst,
129 [](InstallRequest *req) {
130 Api::uninstall(*req);
133 check_path(privateDir, generatePathRWLabel(pkgId));
134 check_path(privateRODir, generatePathROLabel(pkgId), false);
135 check_path(publicRODir, getPublicPathLabel());
136 check_path(sharedRODir, getSharedROPathLabel());
139 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
141 const PrivilegeVector defaultPrivs = {
143 PRIV_INTERNAL_DISPLAY,
146 const PrivilegeVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE};
147 const PrivilegeVector someDeniedPrivs = {PRIV_INTERNET, PRIV_EXTERNALSTORAGE};
149 PrivilegeVector defaultAllowedPrivs = defaultPrivs;
150 defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
152 AppInstallHelperExt app("sm_test_02");
153 app.createPrivateDir();
154 app.createPrivateRODir();
155 app.createPublicDir();
156 app.createSharedRODir();
157 app.addPrivileges(allowedPrivs);
159 ScopedInstaller appInstall(app);
161 app.checkAfterInstall();
162 app.checkDeniedPrivileges(someDeniedPrivs);
163 app.checkPrivilegeGroups(defaultAllowedPrivs);
165 check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
166 check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
167 check_path(app.getPublicDir(), getPublicPathLabel());
168 check_path(app.getSharedRODir(), getSharedROPathLabel());
171 app.checkAfterUninstall();
174 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
176 std::string expectedSockLabel = "labelExpectedOnlyFromSocket";
178 AppInstallHelper app("sm_test_03a");
179 std::string expectedProcLabel = generateProcessLabel(app.getAppId(), app.getPkgId());
181 const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03a.socket");
182 int sock = UDSHelpers::createServer(&sockaddr);
183 SockUniquePtr sockPtr(&sock);
185 //Set socket label to something different than expeced process label
186 int result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, expectedSockLabel.c_str());
187 RUNNER_ASSERT_ERRNO_MSG(result == 0,
188 "Can't set socket label. Result: " << result);
189 result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, expectedSockLabel.c_str());
190 RUNNER_ASSERT_ERRNO_MSG(result == 0,
191 "Can't set socket label. Result: " << result);
193 ScopedInstaller appInstall(app);
196 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
197 if (pid == 0) { // child
198 Api::setProcessLabel(app.getAppId());
200 char *label = nullptr;
202 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
203 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
204 labelPtr.reset(label);
205 result = expectedSockLabel.compare(label);
206 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
207 expectedProcLabel << " Actual: " << label);
209 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
210 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
211 labelPtr.reset(label);
212 result = expectedSockLabel.compare(label);
213 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
214 expectedProcLabel << " Actual: " << label);
216 result = smack_new_label_from_self(&label);
217 RUNNER_ASSERT_MSG(result >= 0,
218 " Error getting current process label");
219 RUNNER_ASSERT_MSG(label != nullptr,
220 " Process label is not set");
221 labelPtr.reset(label);
223 result = expectedProcLabel.compare(label);
224 RUNNER_ASSERT_MSG(result == 0,
225 " Process label is incorrect. Expected: \"" << expectedProcLabel <<
226 "\" Actual: \"" << label << "\"");
232 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
234 const PrivilegeVector allowedPrivs = {PRIV_BLUETOOTH, PRIV_POWER};
235 const PrivilegeVector someDeniedPrivs = {PRIV_DISPLAY, PRIV_NFC};
237 TemporaryTestUser testUser("sm_test_04a_user_name", GUM_USERTYPE_NORMAL);
240 AppInstallHelperExt app("sm_test_04a", testUser.getUid());
241 app.addPrivileges(allowedPrivs);
243 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
244 "drop_root_privileges failed");
246 ScopedInstaller appInstall(app, false);
247 app.checkAfterInstall();
248 app.checkDeniedPrivileges(someDeniedPrivs);
250 app.checkAfterUninstall();
251 app.checkDeniedPrivileges(someDeniedPrivs);
254 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) {
255 const PrivilegeVector allowedPrivs = {PRIV_INTERNET, PRIV_LED};
256 const PrivilegeVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION};
258 TemporaryTestUser testUser("sm_test_04b_user_name", GUM_USERTYPE_NORMAL);
261 AppInstallHelperExt app("sm_test_04b", testUser.getUid());
262 app.addPrivileges(allowedPrivs);
265 ScopedInstaller appInstall(app);
266 app.checkAfterInstall();
267 app.checkDeniedPrivileges(someDeniedPrivs);
269 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
270 "drop_root_privileges failed");
272 app.checkAfterUninstall();
273 app.checkDeniedPrivileges(someDeniedPrivs);
276 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
279 CapsSetsUniquePtr caps_empty(cap_init());
280 auto caps = setCaps("all=eip");
281 Api::dropProcessPrivileges();
283 caps.reset(cap_get_proc());
284 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
286 result = cap_compare(caps.get(), caps_empty.get());
287 RUNNER_ASSERT_MSG(result == 0,
288 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
291 RUNNER_TEST(security_manager_06_install_app_offline)
293 ServiceManager("security-manager.service").stopService();
295 ServiceManager serviceManager("security-manager.socket");
296 serviceManager.stopService();
298 AppInstallHelper app("sm_test_06");
299 ScopedInstaller appInstall(app);
300 // TODO - check if app is installed properly
301 // start service before uninstall, offline mode doesn't support uninstall
302 serviceManager.startService();
303 appInstall.uninstallApp();
304 // TODO - check if app is uninstalled properly
307 RUNNER_CHILD_TEST(security_manager_07a_user_add_app_install)
309 const PrivilegeVector allowedPrivs = {PRIV_INTERNET, PRIV_LED};
310 const PrivilegeVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION};
312 TemporaryTestUser testUser("sm_test_07a_user_name", GUM_USERTYPE_NORMAL);
315 AppInstallHelperExt app("sm_test_07a", testUser.getUid());
316 app.addPrivileges(allowedPrivs);
319 req.setAppId(app.getAppId());
320 req.setPkgId(app.getPkgId());
321 req.setUid(app.getUID());
322 for (const auto &priv: app.getPrivileges()) {
323 req.addPrivilege(priv);
326 app.checkAfterInstall();
327 app.checkDeniedPrivileges(someDeniedPrivs);
331 app.checkAfterUninstall();
332 app.checkDeniedPrivileges(someDeniedPrivs);
335 RUNNER_TEST(security_manager_07b_user_add_offline)
337 ServiceManager("security-manager.service").stopService();
339 ServiceManager serviceManager("security-manager.socket");
340 serviceManager.stopService();
342 TemporaryTestUser testUser("sm_test_07b_user_name", GUM_USERTYPE_NORMAL, true);
345 AppInstallHelperExt app("sm_test_07b", testUser.getUid());
346 ScopedInstaller appInstall(app);
348 serviceManager.startService();
349 app.checkAfterInstall();
352 app.checkAfterUninstall();
355 RUNNER_TEST(security_manager_08_user_double_add_double_remove)
357 const PrivilegeVector somePrivs = {PRIV_LED, PRIV_NOTIFICATION};
360 TemporaryTestUser testUser("sm_test_08_user_name", GUM_USERTYPE_NORMAL);
364 UserRequest addUserRequest;
365 addUserRequest.setUid(testUser.getUid());
366 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
367 Api::addUser(addUserRequest);
369 AppInstallHelperExt app("sm_test_08", testUser.getUid());
370 ScopedInstaller appInstall(app);
372 app.checkAfterInstall();
373 app.checkDeniedPrivileges(somePrivs);
378 app.checkAfterUninstall();
381 UserRequest deleteUserRequest;
382 deleteUserRequest.setUid(testUser.getUid());
383 Api::deleteUser(deleteUserRequest);
386 RUNNER_TEST(security_manager_09_app_install_constraint_check)
388 auto install = [](const AppInstallHelperExt& app, bool success)
390 auto expected = success ? SECURITY_MANAGER_SUCCESS : SECURITY_MANAGER_ERROR_INPUT_PARAM;
391 ScopedInstaller appInstall(app, true, expected);
393 app.checkAfterInstall();
397 auto update = [](const AppInstallHelperExt& app)
399 InstallRequest request;
400 request.setAppId(app.getAppId());
401 request.setPkgId(app.getPkgId());
402 request.setAppTizenVersion(app.getVersion());
403 request.setAuthorId(app.getAuthor());
404 request.setUid(app.getUID());
405 if (app.getIsHybrid())
407 Api::update(request);
410 TemporaryTestUser users[] = {
411 {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
412 {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
415 for (auto& gu : users)
418 const char *const pkgIdPrefix[] = {"sm_test_09_0", "sm_test_09_1"};
419 const char *const appIdPrefix[] = {"sm_test_09_0", "sm_test_09_1"};
420 const char *const version[] = {"sm_test_09_0_version", "sm_test_09_1_version"};
421 const char *const author[] = {"sm_test_09_0_author", "sm_test_09_1_author"};
422 bool hybrid[] = {false, true};
424 std::list<AppInstallHelperExt> apps;
426 auto make_helper = [&](size_t userIdx,
431 size_t hybridIdx) -> AppInstallHelperExt&
433 apps.emplace_back(appIdPrefix[appIdx], pkgIdPrefix[pkgIdx], users[userIdx].getUid());
434 apps.back().setAuthor(author[authorIdx]);
435 apps.back().setVersion(version[verIdx]);
436 if (hybrid[hybridIdx])
437 apps.back().setHybrid();
441 // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok
442 auto &app000000 = make_helper(0, 0, 0, 0, 0, 0);
443 auto i1 = install(app000000, true);
445 // uid_1, pkg_0, app_0, version_0, author_0, not hybrid -> ok (different uid)
446 auto& app100000 = make_helper(1, 0, 0, 0, 0, 0);
447 install(app100000, true);
449 // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> conflicts with existing non hybrid app
450 auto& app000001 = make_helper(0, 0, 0, 0, 0, 1);
451 install(app000001, false);
453 // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok (app updated to hybrid)
456 // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok (app installed again)
457 auto i2 = install(app000001, true);
459 // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> conflicts with existing hybrid app
460 install(app000000, false);
462 // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> ok (new app id)
463 auto& app001001 = make_helper(0, 0, 1, 0, 0, 1);
464 auto i3 = install(app001001, true);
466 // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> ok (hybrid, different uid)
467 auto& app100001 = make_helper(1, 0, 0, 0, 0, 1);
468 auto i4 = install(app100001, true);
470 // uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> author of app_0 must be the same
471 auto& app100010 = make_helper(1, 0, 0, 0, 1, 0);
472 install(app100010, false);
474 // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (app version and hybridity changed)
475 auto& app100100 = make_helper(1, 0, 0, 1, 0, 0);
478 // uid_1, pkg_1, app_0, version_1, author_0, not hybrid -> pkg of app_0 must be the same
479 auto& app110100 = make_helper(1, 1, 0, 1, 0, 0);
480 install(app110100, false);
482 for (auto& gu : users)
485 RUNNER_IGNORED_MSG("Disabled until hybridity update works properly for all users");
486 for (auto& app : apps)
487 app.checkAfterUninstall();
490 RUNNER_TEST(security_manager_09a_install_many_apps_in_single_request)
492 constexpr char pkgIdPrefix[] = "sm_test_09a";
493 const AppInstallHelperExt apps[] = {{"sm_test_09a_0", pkgIdPrefix},
494 {"sm_test_09a_1", pkgIdPrefix},
495 {"sm_test_09a_2", pkgIdPrefix}};
496 static_assert(sizeof(apps) > 0);
498 std::vector<std::string> appIds;
499 for (auto &app : apps)
500 appIds.push_back(app.getAppId());
503 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
504 // Installing many applications in single request
505 for (auto &app : apps) {
506 app.checkAfterInstall();
510 for (auto &app : apps) {
511 app.checkAfterUninstall();
515 RUNNER_TEST(security_manager_09b_install_many_apps_in_single_request_duplicated_ids)
517 AppInstallHelperExt app("sm_test_09b");
519 ScopedInstaller appsInstall({app.getAppId(), app.getAppId()}, app.getPkgId());
520 app.checkAfterInstall();
523 app.checkAfterUninstall();
526 RUNNER_TEST(security_manager_09c_update_many_apps_in_single_request_hybrid_package)
528 constexpr char pkgIdPrefix[] = "sm_test_09c";
529 AppInstallHelperExt apps[] = {{"sm_test_09c_0", pkgIdPrefix},
530 {"sm_test_09c_1", pkgIdPrefix},
531 {"sm_test_09c_2", pkgIdPrefix}};
532 static_assert(sizeof(apps) > 0);
534 std::vector<std::string> appIds;
535 for (const auto &app : apps)
536 appIds.push_back(app.getAppId());
539 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
540 // Package is not hybrid, every app has same policy.
541 for (const auto &app : apps) {
542 app.checkAfterInstall();
545 // Updating package -- changing set of apps in package and setting hybrid mode
546 InstallRequest updateRequest;
547 updateRequest.setPkgId(apps[0].getPkgId());
548 updateRequest.setAppId(appIds[0]);
549 updateRequest.nextApp();
550 updateRequest.setAppId(appIds[1]);
551 updateRequest.setHybrid();
553 Api::update(updateRequest);
555 // Package became hybrid, so every app has its own Smack label
556 for (auto &app : apps) {
559 apps[0].checkAfterInstall();
560 apps[1].checkAfterInstall();
562 // Package became hybrid properly,
563 // so app not included in updated version of package was uninstalled.
564 apps[2].checkAfterUninstall(false);
567 for (const auto &app : apps) {
568 app.checkAfterUninstall();
572 RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package)
574 constexpr char pkgIdPrefix[] = "sm_test_09d";
575 AppInstallHelperExt apps[] = {{"sm_test_09d_0", pkgIdPrefix},
576 {"sm_test_09d_1", pkgIdPrefix},
577 {"sm_test_09d_2", pkgIdPrefix}};
578 static_assert(sizeof(apps) > 0);
580 std::vector<std::string> appIds;
581 for (const auto &app : apps)
582 appIds.push_back(app.getAppId());
585 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
587 InstallRequest updateRequest;
588 updateRequest.setPkgId(apps[0].getPkgId());
589 for (unsigned int i = 0; i < appIds.size(); i++) {
591 updateRequest.nextApp();
593 updateRequest.setAppId(appIds[i]);
595 updateRequest.setHybrid();
596 Api::update(updateRequest);
598 InstallRequest uninstRequest;
599 uninstRequest.setPkgId(apps[0].getPkgId());
600 uninstRequest.setAppId(appIds[0]);
601 Api::uninstall(uninstRequest);
603 for (auto &app : apps) {
606 apps[0].checkAfterUninstall(false);
608 for (const auto &app : apps) {
609 app.checkAfterUninstall();
613 RUNNER_CHILD_TEST(security_manager_10_app_has_privilege)
615 const PrivilegeVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY};
616 const PrivilegeVector someDeniedPrivs = {PRIV_VPNSERVICE, PRIV_NOTIFICATION};
618 AppInstallHelperExt app("sm_test_10");
619 app.addPrivileges(allowedPrivs);
620 ScopedInstaller appInstall(app);
622 app.checkAfterInstall();
623 app.checkDeniedPrivileges(someDeniedPrivs);
624 // FIXME - all other existing privileges should be checked
627 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY)
629 RUNNER_TEST(security_manager_20_user_cynara_policy)
631 // FIXME - whitebox - cynara
632 const char *const MAIN_BUCKET = "MAIN";
633 const char *const MANIFESTS_GLOBAL_BUCKET = "MANIFESTS_GLOBAL";
634 const char *const MANIFESTS_LOCAL_BUCKET = "MANIFESTS_LOCAL";
635 const char *const ADMIN_BUCKET = "ADMIN";
636 const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
637 CynaraTestAdmin::Admin admin;
639 TemporaryTestUser user("sm_test_20_user_name", GUM_USERTYPE_NORMAL, false);
641 std::string uid_string = user.getUidString();
643 CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
644 nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
645 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
648 CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
650 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
651 admin.listPolicies(MANIFESTS_GLOBAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
652 admin.listPolicies(MANIFESTS_LOCAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
653 admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
654 admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
657 RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
659 const PrivilegeVector adminRequiredPrivs = {PRIV_NOTEXIST, PRIV_INTERNAL_USERMANAGEMENT};
660 const PrivilegeVector manifestPrivs = {PRIV_INTERNET, PRIV_DATASHARING};
661 const PrivilegeVector allowedPrivsAfterChange = {PRIV_DATASHARING};
662 const PrivilegeVector deniedPrivsAfterChange = {PRIV_INTERNET};
664 TemporaryTestUser adminUser("sm_test_21_admin_user_name", GUM_USERTYPE_ADMIN, false);
665 TemporaryTestUser normalUser("sm_test_21_normal_user_name", GUM_USERTYPE_NORMAL, false);
670 AppInstallHelper adminApp("sm_test_21_admin", adminUser.getUid());
671 adminApp.addPrivileges(adminRequiredPrivs);
672 ScopedInstaller adminAppInstall(adminApp);
674 AppInstallHelperExt normalApp("sm_test_21_normal", normalUser.getUid());
675 normalApp.addPrivileges(manifestPrivs);
676 ScopedInstaller normalAppInstall(normalApp);
677 normalApp.checkAfterInstall();
680 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
681 if (pid != 0) { //parent process
683 normalApp.checkPrivileges(allowedPrivsAfterChange, deniedPrivsAfterChange);
685 Api::setProcessLabel(adminApp.getAppId());
686 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(),adminUser.getGid()) == 0,
687 "drop_root_privileges failed");
689 PolicyRequest addPolicyReq;
690 for (auto &deniedPriv : deniedPrivsAfterChange) {
691 PolicyEntry entry(SECURITY_MANAGER_ANY, normalUser.getUidString(), deniedPriv);
692 entry.setMaxLevel(PolicyEntry::LEVEL_DENY);
693 addPolicyReq.addEntry(entry);
695 Api::sendPolicy(addPolicyReq);
700 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
702 RUNNER_TEST(security_manager_22_security_manager_cmd_install)
705 const int SUCCESS = 0;
706 const int FAILURE = 256;
707 const std::string app_id = "sm_test_22_app_id";
708 const std::string pkg_id = "sm_test_22_pkg_id";
709 const std::string username("sm_test_22_user_name");
711 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL);
714 const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
715 const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
716 const std::string pkgopt = " --pkg=" + pkg_id;
717 const std::string appopt = " --app=" + app_id;
718 const std::string uidopt = " --uid=" + user.getUidString();
720 mktreeSafe(path1.c_str(), 0);
721 mktreeSafe(path2.c_str(), 0);
723 const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
729 std::vector<struct operation> operations = {
730 {"security-manager-cmd", FAILURE},//no option
731 {"security-manager-cmd --blah", FAILURE},//blah option is not known
732 {"security-manager-cmd --help", SUCCESS},
733 {"security-manager-cmd --install", FAILURE},//no params
734 {"security-manager-cmd -i", FAILURE},//no params
735 {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
736 {installcmd, SUCCESS},
737 {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
738 {installcmd + " --path " + path1 + " rw", SUCCESS},
739 {installcmd + " --path " + path1, FAILURE},//no path type
740 {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
741 {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
742 {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
745 for (auto &op : operations) {
746 ret = system((op.command + " 1>/dev/null 2>&1").c_str());
747 RUNNER_ASSERT_MSG(ret == op.expected_result,
748 "Unexpected result for command '" << op.command <<"': "
749 << ret << " Expected was: "<< op.expected_result);
753 RUNNER_TEST(security_manager_23_security_manager_cmd_users)
755 const int SUCCESS = 0;
756 const int FAILURE = 256;
757 TemporaryTestUser user("sm_test_23_user_name", GUM_USERTYPE_NORMAL, false);
759 const std::string uidopt = " --uid=" + user.getUidString();
765 std::vector<struct operation> operations = {
766 {"security-manager-cmd --manage-users=remove", FAILURE},//no params
767 {"security-manager-cmd -m", FAILURE},//no params
768 {"security-manager-cmd -mr", FAILURE},//no uid
769 {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
770 {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
771 {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
772 {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
773 {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
774 {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
775 {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
776 {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
779 for (auto &op : operations) {
780 int ret = system((op.command + " 1>/dev/null 2>&1").c_str());
781 RUNNER_ASSERT_MSG(ret == op.expected_result,
782 "Unexpected result for command '" << op.command <<"': "
783 << ret << " Expected was: "<< op.expected_result);
787 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
789 RUNNER_TEST(security_manager_24_groups_get)
791 PolicyConfiguration pc;
795 Api::getSecurityManagerGroups(&c_groups, &count);
796 std::unique_ptr<gid_t, decltype(free)*> groupsPtr(c_groups, free);
798 auto policyGroups = pc.getGid();
799 RUNNER_ASSERT_MSG(count == policyGroups.size(), "security_manager_groups_get should set count to: "
800 << policyGroups.size() << " but count is: " << count);
802 for (const auto &group : policyGroups) {
804 for (size_t i = 0; i < count; ++i) {
805 if (group == c_groups[i]) {
810 RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
814 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
816 RUNNER_TEST(security_manager_25a_global_user_set_install_type_global)
818 AppInstallHelperExt app("sm_test_25a");
819 app.setInstallType(SM_APP_INSTALL_GLOBAL);
821 ScopedInstaller appInstall(app);
823 app.checkAfterInstall();
826 // Check records in the security-manager database
827 app.checkAfterUninstall();
830 RUNNER_TEST(security_manager_25b_global_user_set_install_type_local)
832 AppInstallHelper app("sm_test_25b");
834 InstallRequest requestInst;
835 requestInst.setAppId(app.getAppId());
836 requestInst.setPkgId(app.getPkgId());
837 requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
839 Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
842 RUNNER_TEST(security_manager_25c_global_user_set_install_type_preloaded)
844 AppInstallHelperExt app("sm_test_25c");
845 app.setInstallType(SM_APP_INSTALL_PRELOADED);
847 ScopedInstaller appInstall(app);
848 app.checkAfterInstall();
850 app.checkAfterUninstall();
853 RUNNER_TEST(security_manager_25d_local_user_set_install_type_invalid)
855 InstallRequest requestPrivateUser;
856 requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
857 requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
861 * It is possible for local user to install global application but one needs app_install privileges
862 * By default only global user or root can install global apps (or "User", "System", "System::Privileged"...)
864 RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
866 RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
868 TemporaryTestUser testUser("sm_test_25e_user_name", GUM_USERTYPE_NORMAL);
871 AppInstallHelper app("sm_test_25e");
873 ScopedProcessLabel spl("_", false);
874 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
875 "drop_root_privileges failed");
877 InstallRequest invalidReq;
878 invalidReq.setAppId(app.getAppId());
879 invalidReq.setPkgId(app.getPkgId());
880 invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
882 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
885 RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
887 RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
889 TemporaryTestUser testUser("sm_test_25f_user_name", GUM_USERTYPE_NORMAL);
892 AppInstallHelper app("sm_test_25f");
894 ScopedProcessLabel spl("_", false);
895 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
896 "drop_root_privileges failed");
897 InstallRequest invalidReq;
898 invalidReq.setAppId(app.getAppId());
899 invalidReq.setPkgId(app.getPkgId());
900 invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
901 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
904 RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local)
906 const PrivilegeVector allowedPrivs = {PRIV_VOLUME_SET, PRIV_SYSTEMMONITOR, PRIV_INTERNET};
907 const PrivilegeVector someDeniedPrivs = {PRIV_PUSH, PRIV_POWER, PRIV_NOTIFICATION};
909 TemporaryTestUser testUser("sm_test_25g_user_name", GUM_USERTYPE_NORMAL);
912 AppInstallHelperExt app("sm_test_25g", testUser.getUid());
913 app.createPrivateDir();
914 app.setInstallType(SM_APP_INSTALL_LOCAL);
915 app.addPrivileges(allowedPrivs);
917 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
918 "drop_root_privileges failed");
920 ScopedInstaller appInstall(app);
921 app.checkAfterInstall();
922 app.checkDeniedPrivileges(someDeniedPrivs);
924 app.checkAfterUninstall();
927 RUNNER_CHILD_TEST(security_manager_25h_local_path_global_install)
929 TemporaryTestUser testUser("sm_test_25h_user_name", GUM_USERTYPE_NORMAL);
932 AppInstallHelper app("sm_test_25h", testUser.getUid());
933 app.createPrivateDir();
935 InstallRequest invalidReq;
936 invalidReq.setAppId(app.getAppId());
937 invalidReq.setPkgId(app.getPkgId());
938 invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
939 invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
940 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
943 RUNNER_CHILD_TEST(security_manager_25i_local_path_preloaded_install)
945 TemporaryTestUser testUser("sm_test_25i_user_name", GUM_USERTYPE_NORMAL);
948 AppInstallHelper app("sm_test_25i", testUser.getUid());
949 app.createPrivateDir();
951 InstallRequest invalidReq;
952 invalidReq.setAppId(app.getAppId());
953 invalidReq.setPkgId(app.getPkgId());
954 invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
955 invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
956 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
959 RUNNER_CHILD_TEST(security_manager_25j_global_path_local_install)
961 TemporaryTestUser testUser("sm_test_25j_user_name", GUM_USERTYPE_NORMAL);
964 AppInstallHelper appLocal("sm_test_25j", testUser.getUid());
966 AppInstallHelper appGlobal("sm_test_25");
967 appGlobal.createPrivateDir();
969 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
970 "drop_root_privileges failed");
972 InstallRequest invalidReq;
973 invalidReq.setAppId(appLocal.getAppId());
974 invalidReq.setPkgId(appLocal.getPkgId());
975 invalidReq.addPath(appGlobal.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
976 invalidReq.setInstallType(SM_APP_INSTALL_LOCAL);
978 Api::install(invalidReq, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
981 RUNNER_CHILD_TEST(security_manager_26_hybrid_pkg_uninstall_artifacts_check)
983 TemporaryTestUser testUser("sm_test_26_user_name", GUM_USERTYPE_NORMAL);
986 const PrivilegeVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY};
988 AppInstallHelperExt app1("sm_test_26_1", "sm_test_26", testUser.getUid());
989 app1.addPrivileges(allowedPrivs);
992 AppInstallHelperExt app2("sm_test_26_2", "sm_test_26", testUser.getUid());
993 app2.addPrivileges(allowedPrivs);
997 ScopedInstaller appInstall1(app1);
998 ScopedInstaller appInstall2(app2);
999 app1.checkAfterInstall();
1000 app2.checkAfterInstall();
1003 app1.checkAfterUninstall(false);
1004 app2.checkAfterUninstall();