2 * Copyright (c) 2016 - 2020 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 // cstdlibg has to be included before attr/xattr
19 #include <attr/xattr.h>
24 #include <sys/capability.h>
25 #include <sys/smack.h>
26 #include <sys/types.h>
29 #include <cynara-admin.h>
31 #include <cynara_test_admin.h>
32 #include <dpl/test/test_runner.h>
33 #include <label_generator.h>
34 #include <message_pipe.h>
35 #include <policy_configuration.h>
36 #include <scoped_installer.h>
37 #include <service_manager.h>
39 #include <sm_commons.h>
40 #include <sm_request.h>
41 #include <synchronization_pipe.h>
42 #include <temp_test_user.h>
43 #include <tests_common.h>
44 #include <tzplatform.h>
46 #include <scoped_process_label.h>
47 #include <scoped_app_launcher.h>
48 #include <app_install_helper_ext.h>
49 #include <privilege_names.h>
51 using namespace SecurityManagerTest;
52 using namespace PrivilegeNames;
54 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
56 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
58 AppInstallHelperExt app("sm_test_01a_app");
60 ScopedInstaller appInstall(app);
61 app.checkAfterInstall();
63 ScopedInstaller appInstall2(app);
64 app.checkAfterInstall();
66 app.checkAfterUninstall();
70 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
72 AppInstallHelperExt app("sm_test_01b");
74 ScopedInstaller appInstall(app);
76 InstallRequest requestInst2;
77 requestInst2.setAppId(app.getAppId());
78 requestInst2.setPkgId(app.getPkgId() + "_wrong");
80 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
82 app.checkAfterInstall();
84 app.checkAfterUninstall();
87 RUNNER_TEST(security_manager_01c_app_uninstall_wrong_pkg_id)
89 AppInstallHelperExt app("sm_test_01c");
90 ScopedInstaller appInstall(app);
92 app.checkAfterInstall();
94 InstallRequest requestUninst;
95 requestUninst.setAppId(app.getAppId());
96 requestUninst.setPkgId(app.getPkgId() + "_wrong_pkg_id");
98 Api::uninstall(requestUninst, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
102 * This test uses files installed with security-tests package
104 RUNNER_TEST(security_manager_01d_app_install_complicated_dir_tree)
106 const std::string appId = "sm_test_01d_app_id_full";
107 const std::string pkgId = "sm_test_01d_pkg_id_full";
109 const std::string rootDir = TzPlatformConfig::globalAppDir() + "/" + pkgId + "/";
110 const std::string privateDir = rootDir + "app_dir/";
111 const std::string privateRODir = rootDir + "app_dir_ro/";
112 const std::string publicRODir = rootDir + "app_dir_public_ro/";
113 const std::string sharedRODir = rootDir + "app_dir_rw_others_ro/";
115 int result = nftw(rootDir.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
116 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << rootDir);
118 InstallRequest requestInst;
119 requestInst.setAppId(appId);
120 requestInst.setPkgId(pkgId);
121 requestInst.addPath(privateDir, SECURITY_MANAGER_PATH_RW);
122 requestInst.addPath(privateRODir, SECURITY_MANAGER_PATH_RO);
123 requestInst.addPath(publicRODir, SECURITY_MANAGER_PATH_PUBLIC_RO);
124 requestInst.addPath(sharedRODir, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
125 Api::install(requestInst);
127 std::unique_ptr<InstallRequest, std::function<void(InstallRequest*)>> appCleanup(&requestInst,
128 [](InstallRequest *req) {
129 Api::uninstall(*req);
132 check_path(privateDir, generatePathRWLabel(pkgId));
133 check_path(privateRODir, generatePathROLabel(pkgId), false);
134 check_path(publicRODir, getPublicPathLabel());
135 check_path(sharedRODir, getSharedROPathLabel());
138 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
140 const PolicyConfiguration::PrivVector defaultPrivs = {
142 PRIV_INTERNAL_DISPLAY,
145 const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE};
146 const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_INTERNET, PRIV_EXTERNALSTORAGE};
148 PolicyConfiguration::PrivVector defaultAllowedPrivs = defaultPrivs;
149 defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end());
151 AppInstallHelperExt app("sm_test_02");
152 app.createPrivateDir();
153 app.createPrivateRODir();
154 app.createPublicDir();
155 app.createSharedRODir();
156 app.addPrivileges(allowedPrivs);
158 ScopedInstaller appInstall(app);
160 app.checkAfterInstall();
161 app.checkDeniedPrivileges(someDeniedPrivs);
162 app.checkPrivilegeGroups(defaultAllowedPrivs);
164 check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
165 check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
166 check_path(app.getPublicDir(), getPublicPathLabel());
167 check_path(app.getSharedRODir(), getSharedROPathLabel());
170 app.checkAfterUninstall();
173 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
175 std::string expectedSockLabel = "labelExpectedOnlyFromSocket";
177 AppInstallHelper app("sm_test_03a");
178 std::string expectedProcLabel = generateProcessLabel(app.getAppId(), app.getPkgId());
180 const auto sockaddr = UDSHelpers::makeAbstractAddress("sm_test_03a.socket");
181 int sock = UDSHelpers::createServer(&sockaddr);
182 SockUniquePtr sockPtr(&sock);
184 //Set socket label to something different than expeced process label
185 int result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPIN, expectedSockLabel.c_str());
186 RUNNER_ASSERT_ERRNO_MSG(result == 0,
187 "Can't set socket label. Result: " << result);
188 result = smack_set_label_for_file(*sockPtr, XATTR_NAME_SMACKIPOUT, expectedSockLabel.c_str());
189 RUNNER_ASSERT_ERRNO_MSG(result == 0,
190 "Can't set socket label. Result: " << result);
192 ScopedInstaller appInstall(app);
195 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
196 if (pid == 0) { // child
197 Api::setProcessLabel(app.getAppId());
199 char *label = nullptr;
201 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
202 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
203 labelPtr.reset(label);
204 result = expectedSockLabel.compare(label);
205 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
206 expectedProcLabel << " Actual: " << label);
208 result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
209 RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
210 labelPtr.reset(label);
211 result = expectedSockLabel.compare(label);
212 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
213 expectedProcLabel << " Actual: " << label);
215 result = smack_new_label_from_self(&label);
216 RUNNER_ASSERT_MSG(result >= 0,
217 " Error getting current process label");
218 RUNNER_ASSERT_MSG(label != nullptr,
219 " Process label is not set");
220 labelPtr.reset(label);
222 result = expectedProcLabel.compare(label);
223 RUNNER_ASSERT_MSG(result == 0,
224 " Process label is incorrect. Expected: \"" << expectedProcLabel <<
225 "\" Actual: \"" << label << "\"");
231 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
233 const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_BLUETOOTH, PRIV_POWER};
234 const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_DISPLAY, PRIV_NFC};
236 TemporaryTestUser testUser("sm_test_04a_user_name", GUM_USERTYPE_NORMAL);
239 AppInstallHelperExt app("sm_test_04a", testUser.getUid());
240 app.addPrivileges(allowedPrivs);
242 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
243 "drop_root_privileges failed");
245 ScopedInstaller appInstall(app, false);
246 app.checkAfterInstall();
247 app.checkDeniedPrivileges(someDeniedPrivs);
249 app.checkAfterUninstall();
250 app.checkDeniedPrivileges(someDeniedPrivs);
253 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) {
254 const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_INTERNET, PRIV_LED};
255 const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION};
257 TemporaryTestUser testUser("sm_test_04b_user_name", GUM_USERTYPE_NORMAL);
260 AppInstallHelperExt app("sm_test_04b", testUser.getUid());
261 app.addPrivileges(allowedPrivs);
264 ScopedInstaller appInstall(app);
265 app.checkAfterInstall();
266 app.checkDeniedPrivileges(someDeniedPrivs);
268 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
269 "drop_root_privileges failed");
271 app.checkAfterUninstall();
272 app.checkDeniedPrivileges(someDeniedPrivs);
275 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
278 CapsSetsUniquePtr caps_empty(cap_init());
279 auto caps = setCaps("all=eip");
280 Api::dropProcessPrivileges();
282 caps.reset(cap_get_proc());
283 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
285 result = cap_compare(caps.get(), caps_empty.get());
286 RUNNER_ASSERT_MSG(result == 0,
287 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
290 RUNNER_TEST(security_manager_06_install_app_offline)
292 ServiceManager("security-manager.service").stopService();
294 ServiceManager serviceManager("security-manager.socket");
295 serviceManager.stopService();
297 AppInstallHelper app("sm_test_06");
298 ScopedInstaller appInstall(app);
299 // TODO - check if app is installed properly
300 // start service before uninstall, offline mode doesn't support uninstall
301 serviceManager.startService();
302 appInstall.uninstallApp();
303 // TODO - check if app is uninstalled properly
306 RUNNER_CHILD_TEST(security_manager_07a_user_add_app_install)
308 const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_INTERNET, PRIV_LED};
309 const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION};
311 TemporaryTestUser testUser("sm_test_07a_user_name", GUM_USERTYPE_NORMAL);
314 AppInstallHelperExt app("sm_test_07a", testUser.getUid());
315 app.addPrivileges(allowedPrivs);
318 req.setAppId(app.getAppId());
319 req.setPkgId(app.getPkgId());
320 req.setUid(app.getUID());
321 for (const auto &priv: app.getPrivileges()) {
322 req.addPrivilege(priv);
325 app.checkAfterInstall();
326 app.checkDeniedPrivileges(someDeniedPrivs);
330 app.checkAfterUninstall();
331 app.checkDeniedPrivileges(someDeniedPrivs);
334 RUNNER_TEST(security_manager_07b_user_add_offline)
336 ServiceManager("security-manager.service").stopService();
338 ServiceManager serviceManager("security-manager.socket");
339 serviceManager.stopService();
341 TemporaryTestUser testUser("sm_test_07b_user_name", GUM_USERTYPE_NORMAL, true);
344 AppInstallHelperExt app("sm_test_07b", testUser.getUid());
345 ScopedInstaller appInstall(app);
347 serviceManager.startService();
348 app.checkAfterInstall();
351 app.checkAfterUninstall();
354 RUNNER_TEST(security_manager_08_user_double_add_double_remove)
356 const PolicyConfiguration::PrivVector somePrivs = {PRIV_LED, PRIV_NOTIFICATION};
359 TemporaryTestUser testUser("sm_test_08_user_name", GUM_USERTYPE_NORMAL);
363 UserRequest addUserRequest;
364 addUserRequest.setUid(testUser.getUid());
365 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
366 Api::addUser(addUserRequest);
368 AppInstallHelperExt app("sm_test_08", testUser.getUid());
369 ScopedInstaller appInstall(app);
371 app.checkAfterInstall();
372 app.checkDeniedPrivileges(somePrivs);
377 app.checkAfterUninstall();
380 UserRequest deleteUserRequest;
381 deleteUserRequest.setUid(testUser.getUid());
382 Api::deleteUser(deleteUserRequest);
385 RUNNER_TEST(security_manager_09_app_install_constraint_check)
387 auto install = [](const TemporaryTestUser& user,
393 enum lib_retcode expected,
394 bool uninstall = true)
396 InstallRequest request;
397 request.setAppId(appId);
398 request.setPkgId(pkgId);
399 request.setAppTizenVersion(version);
400 request.setAuthorId(author);
401 request.setUid(user.getUid());
404 Api::install(request, expected);
406 if(expected == SECURITY_MANAGER_SUCCESS && uninstall) {
407 Api::uninstall(request);
411 auto update = [](const TemporaryTestUser& user,
417 enum lib_retcode expected,
418 bool uninstall = true)
420 InstallRequest request;
421 request.setAppId(appId);
422 request.setPkgId(pkgId);
423 request.setAppTizenVersion(version);
424 request.setAuthorId(author);
425 request.setUid(user.getUid());
428 Api::update(request, expected);
430 if(expected == SECURITY_MANAGER_SUCCESS && uninstall) {
431 Api::uninstall(request);
435 TemporaryTestUser users[] = {
436 {"sm_test_09_user_name_0", GUM_USERTYPE_NORMAL, false},
437 {"sm_test_09_user_name_1", GUM_USERTYPE_NORMAL, false}
440 for (auto& gu : users)
443 const char *const pkgId[] = {"sm_test_09_pkg_id_0", "sm_test_09_pkg_id_1"};
444 const char *const appId[] = {"sm_test_09_app_id_0", "sm_test_09_app_id_1"};
445 const char *const version[] = {"sm_test_09_version_0", "sm_test_09_version_1"};
446 const char *const author[] = {"sm_test_09_author_0", "sm_test_09_author_1"};
447 bool hybrid[] = {false, true};
449 // uid_0, pkg_0, app_0, version_0, author_0, not hybrid
450 install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
451 // uid_1, pkg_0, app_0, version_0, author_0, not hybrid -> ok (different uid)
452 install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
453 // uid_0, pkg_0, app_0, version_0, author_0, hybrid -> ok for update (different hybrid setting)
454 install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
455 update(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
456 // uid_0, pkg_0, app_1, version_0, author_0, hybrid -> ok (new app id)
457 install(users[0], pkgId[0], appId[1], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
458 // uid_1, pkg_0, app_0, version_0, author_0, hybrid -> ok (different hybrid setting)
459 install(users[1], pkgId[0], appId[0], version[0], author[0], hybrid[1], SECURITY_MANAGER_SUCCESS, false);
460 // uid_1, pkg_0, app_0, version_0, author_1, not hybrid -> fail (author of app_0 must be the same)
461 install(users[1], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
462 // uid_1, pkg_0, app_0, version_1, author_0, not hybrid -> ok (version upgrade and different hybrid setting)
463 install(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
464 update(users[1], pkgId[0], appId[0], version[1], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS);
465 // uid_1, pkg_1, app_0, version_0, author_0, not hybrid -> fail (pkg of app_0 must be the same)
466 install(users[1], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
467 // uid_0, pkg_0, app_0, version_0, author_0, not hybrid -> ok (the same app again)
468 install(users[0], pkgId[0], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_SUCCESS, false);
469 // uid_0, pkg_1, app_0, version_0, author_0, not hybrid -> fail (app_name + uid must be unique)
470 install(users[0], pkgId[1], appId[0], version[0], author[0], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
471 // uid_0, pkg_0, app_0, version_0, author_1, not hybrid -> fail (app_name + uid must be unique)
472 install(users[0], pkgId[0], appId[0], version[0], author[1], hybrid[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
475 RUNNER_TEST(security_manager_09a_install_many_apps_in_single_request)
477 constexpr char pkgIdPrefix[] = "sm_test_09a";
478 const AppInstallHelperExt apps[] = {{"sm_test_09a_0", pkgIdPrefix},
479 {"sm_test_09a_1", pkgIdPrefix},
480 {"sm_test_09a_2", pkgIdPrefix}};
481 static_assert(sizeof(apps) > 0);
483 std::vector<std::string> appIds;
484 for (auto &app : apps)
485 appIds.push_back(app.getAppId());
488 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
489 // Installing many applications in single request
490 for (auto &app : apps) {
491 app.checkAfterInstall();
495 for (auto &app : apps) {
496 app.checkAfterUninstall();
500 RUNNER_TEST(security_manager_09b_install_many_apps_in_single_request_duplicated_ids)
502 AppInstallHelperExt app("sm_test_09b");
504 ScopedInstaller appsInstall({app.getAppId(), app.getAppId()}, app.getPkgId());
505 app.checkAfterInstall();
508 app.checkAfterUninstall();
511 RUNNER_TEST(security_manager_09c_update_many_apps_in_single_request_hybrid_package)
513 constexpr char pkgIdPrefix[] = "sm_test_09c";
514 AppInstallHelperExt apps[] = {{"sm_test_09c_0", pkgIdPrefix},
515 {"sm_test_09c_1", pkgIdPrefix},
516 {"sm_test_09c_2", pkgIdPrefix}};
517 static_assert(sizeof(apps) > 0);
519 std::vector<std::string> appIds;
520 for (const auto &app : apps)
521 appIds.push_back(app.getAppId());
524 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
525 // Package is not hybrid, every app has same policy.
526 for (const auto &app : apps) {
527 app.checkAfterInstall();
530 // Updating package -- changing set of apps in package and setting hybrid mode
531 InstallRequest updateRequest;
532 updateRequest.setPkgId(apps[0].getPkgId());
533 updateRequest.setAppId(appIds[0]);
534 updateRequest.nextApp();
535 updateRequest.setAppId(appIds[1]);
536 updateRequest.setHybrid();
538 Api::update(updateRequest);
540 // Package became hybrid, so every app has its own Smack label
541 for (auto &app : apps) {
544 apps[0].checkAfterInstall();
545 apps[1].checkAfterInstall();
547 // Package became hybrid properly,
548 // so app not included in updated version of package was uninstalled.
549 apps[2].checkAfterUninstall(false);
552 for (const auto &app : apps) {
553 app.checkAfterUninstall();
557 RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package)
559 constexpr char pkgIdPrefix[] = "sm_test_09d";
560 AppInstallHelperExt apps[] = {{"sm_test_09d_0", pkgIdPrefix},
561 {"sm_test_09d_1", pkgIdPrefix},
562 {"sm_test_09d_2", pkgIdPrefix}};
563 static_assert(sizeof(apps) > 0);
565 std::vector<std::string> appIds;
566 for (const auto &app : apps)
567 appIds.push_back(app.getAppId());
570 ScopedInstaller appsInstall(appIds, apps[0].getPkgId());
572 InstallRequest updateRequest;
573 updateRequest.setPkgId(apps[0].getPkgId());
574 for (unsigned int i = 0; i < appIds.size(); i++) {
576 updateRequest.nextApp();
578 updateRequest.setAppId(appIds[i]);
580 updateRequest.setHybrid();
581 Api::update(updateRequest);
583 InstallRequest uninstRequest;
584 uninstRequest.setPkgId(apps[0].getPkgId());
585 uninstRequest.setAppId(appIds[0]);
586 Api::uninstall(uninstRequest);
588 for (auto &app : apps) {
591 apps[0].checkAfterUninstall(false);
593 for (const auto &app : apps) {
594 app.checkAfterUninstall();
598 RUNNER_CHILD_TEST(security_manager_10_app_has_privilege)
600 const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY};
601 const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_VPNSERVICE, PRIV_NOTIFICATION};
603 AppInstallHelperExt app("sm_test_10");
604 app.addPrivileges(allowedPrivs);
605 ScopedInstaller appInstall(app);
607 app.checkAfterInstall();
608 app.checkDeniedPrivileges(someDeniedPrivs);
609 // FIXME - all other existing privileges should be checked
612 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_POLICY)
614 RUNNER_TEST(security_manager_20_user_cynara_policy)
616 // FIXME - whitebox - cynara
617 const char *const MAIN_BUCKET = "MAIN";
618 const char *const MANIFESTS_GLOBAL_BUCKET = "MANIFESTS_GLOBAL";
619 const char *const MANIFESTS_LOCAL_BUCKET = "MANIFESTS_LOCAL";
620 const char *const ADMIN_BUCKET = "ADMIN";
621 const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
622 CynaraTestAdmin::Admin admin;
624 TemporaryTestUser user("sm_test_20_user_name", GUM_USERTYPE_NORMAL, false);
626 std::string uid_string = user.getUidString();
628 CynaraTestAdmin::CynaraPoliciesContainer nonemptyContainer;
629 nonemptyContainer.add(MAIN_BUCKET,CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, CYNARA_ADMIN_BUCKET, USER_TYPE_NORMAL_BUCKET);
630 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, nonemptyContainer,CYNARA_API_SUCCESS);
633 CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
635 admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
636 admin.listPolicies(MANIFESTS_GLOBAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
637 admin.listPolicies(MANIFESTS_LOCAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
638 admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
639 admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
642 RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv)
644 const PolicyConfiguration::PrivVector adminRequiredPrivs = {
646 PRIV_INTERNAL_USERMANAGEMENT
648 const PolicyConfiguration::PrivVector manifestPrivs = {PRIV_INTERNET, PRIV_DATASHARING};
649 const PolicyConfiguration::PrivVector allowedPrivsAfterChange = {PRIV_DATASHARING};
650 const PolicyConfiguration::PrivVector deniedPrivsAfterChange = {PRIV_INTERNET};
652 TemporaryTestUser adminUser("sm_test_21_admin_user_name", GUM_USERTYPE_ADMIN, false);
653 TemporaryTestUser normalUser("sm_test_21_normal_user_name", GUM_USERTYPE_NORMAL, false);
658 AppInstallHelper adminApp("sm_test_21_admin", adminUser.getUid());
659 adminApp.addPrivileges(adminRequiredPrivs);
660 ScopedInstaller adminAppInstall(adminApp);
662 AppInstallHelperExt normalApp("sm_test_21_normal", normalUser.getUid());
663 normalApp.addPrivileges(manifestPrivs);
664 ScopedInstaller normalAppInstall(normalApp);
665 normalApp.checkAfterInstall();
668 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
669 if (pid != 0) { //parent process
671 normalApp.checkPrivileges(allowedPrivsAfterChange, deniedPrivsAfterChange);
673 Api::setProcessLabel(adminApp.getAppId());
674 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(),adminUser.getGid()) == 0,
675 "drop_root_privileges failed");
677 PolicyRequest addPolicyReq;
678 for (auto &deniedPriv : deniedPrivsAfterChange) {
679 PolicyEntry entry(SECURITY_MANAGER_ANY, normalUser.getUidString(), deniedPriv);
680 entry.setMaxLevel(PolicyEntry::LEVEL_DENY);
681 addPolicyReq.addEntry(entry);
683 Api::sendPolicy(addPolicyReq);
688 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CMD)
690 RUNNER_TEST(security_manager_22_security_manager_cmd_install)
693 const int SUCCESS = 0;
694 const int FAILURE = 256;
695 const std::string app_id = "sm_test_22_app_id";
696 const std::string pkg_id = "sm_test_22_pkg_id";
697 const std::string username("sm_test_22_user_name");
699 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL);
702 const std::string path1 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p1";
703 const std::string path2 = TzPlatformConfig::appDirPath(user, app_id, pkg_id) + "/p2";
704 const std::string pkgopt = " --pkg=" + pkg_id;
705 const std::string appopt = " --app=" + app_id;
706 const std::string uidopt = " --uid=" + user.getUidString();
708 mktreeSafe(path1.c_str(), 0);
709 mktreeSafe(path2.c_str(), 0);
711 const std::string installcmd = "security-manager-cmd --install " + appopt + pkgopt + uidopt;
717 std::vector<struct operation> operations = {
718 {"security-manager-cmd", FAILURE},//no option
719 {"security-manager-cmd --blah", FAILURE},//blah option is not known
720 {"security-manager-cmd --help", SUCCESS},
721 {"security-manager-cmd --install", FAILURE},//no params
722 {"security-manager-cmd -i", FAILURE},//no params
723 {"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
724 {installcmd, SUCCESS},
725 {"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
726 {installcmd + " --path " + path1 + " rw", SUCCESS},
727 {installcmd + " --path " + path1, FAILURE},//no path type
728 {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
729 {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
730 {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
733 for (auto &op : operations) {
734 ret = system((op.command + " 1>/dev/null 2>&1").c_str());
735 RUNNER_ASSERT_MSG(ret == op.expected_result,
736 "Unexpected result for command '" << op.command <<"': "
737 << ret << " Expected was: "<< op.expected_result);
741 RUNNER_TEST(security_manager_23_security_manager_cmd_users)
743 const int SUCCESS = 0;
744 const int FAILURE = 256;
745 TemporaryTestUser user("sm_test_23_user_name", GUM_USERTYPE_NORMAL, false);
747 const std::string uidopt = " --uid=" + user.getUidString();
753 std::vector<struct operation> operations = {
754 {"security-manager-cmd --manage-users=remove", FAILURE},//no params
755 {"security-manager-cmd -m", FAILURE},//no params
756 {"security-manager-cmd -mr", FAILURE},//no uid
757 {"security-manager-cmd -mr --uid" + uidopt, FAILURE},//no uid
758 {"security-manager-cmd -mr --sdfj" + uidopt, FAILURE},//sdfj?
759 {"security-manager-cmd --msdf -u2004" , FAILURE},//sdf?
760 {"security-manager-cmd -mr" + uidopt, SUCCESS},//ok, removed
761 {"security-manager-cmd -mr --blah" + uidopt, FAILURE},//blah
762 {"security-manager-cmd -ma" + uidopt, SUCCESS},//ok, added
763 {"security-manager-cmd -ma --usertype=normal" + uidopt, SUCCESS},//ok, added
764 {"security-manager-cmd -ma --usertype=mal" + uidopt, FAILURE},//ok, added
767 for (auto &op : operations) {
768 int ret = system((op.command + " 1>/dev/null 2>&1").c_str());
769 RUNNER_ASSERT_MSG(ret == op.expected_result,
770 "Unexpected result for command '" << op.command <<"': "
771 << ret << " Expected was: "<< op.expected_result);
775 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_GROUPS)
777 RUNNER_TEST(security_manager_24_groups_get)
779 PolicyConfiguration pc;
783 Api::getSecurityManagerGroups(&c_groups, &count);
784 std::unique_ptr<gid_t, decltype(free)*> groupsPtr(c_groups, free);
786 auto policyGroups = pc.getGid();
787 RUNNER_ASSERT_MSG(count == policyGroups.size(), "security_manager_groups_get should set count to: "
788 << policyGroups.size() << " but count is: " << count);
790 for (const auto &group : policyGroups) {
792 for (size_t i = 0; i < count; ++i) {
793 if (group == c_groups[i]) {
798 RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
802 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
804 RUNNER_TEST(security_manager_25a_global_user_set_install_type_global)
806 AppInstallHelperExt app("sm_test_25a");
807 app.setInstallType(SM_APP_INSTALL_GLOBAL);
809 ScopedInstaller appInstall(app);
811 app.checkAfterInstall();
814 // Check records in the security-manager database
815 app.checkAfterUninstall();
818 RUNNER_TEST(security_manager_25b_global_user_set_install_type_local)
820 AppInstallHelper app("sm_test_25b");
822 InstallRequest requestInst;
823 requestInst.setAppId(app.getAppId());
824 requestInst.setPkgId(app.getPkgId());
825 requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
827 Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
830 RUNNER_TEST(security_manager_25c_global_user_set_install_type_preloaded)
832 AppInstallHelperExt app("sm_test_25c");
833 app.setInstallType(SM_APP_INSTALL_PRELOADED);
835 ScopedInstaller appInstall(app);
836 app.checkAfterInstall();
838 app.checkAfterUninstall();
841 RUNNER_TEST(security_manager_25d_local_user_set_install_type_invalid)
843 InstallRequest requestPrivateUser;
844 requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
845 requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
849 * It is possible for local user to install global application but one needs app_install privileges
850 * By default only global user or root can install global apps (or "User", "System", "System::Privileged"...)
852 RUNNER_CHILD_TEST(security_manager_25e_unprivileged_install_type_global)
854 RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
856 TemporaryTestUser testUser("sm_test_25e_user_name", GUM_USERTYPE_NORMAL);
859 AppInstallHelper app("sm_test_25e");
861 ScopedProcessLabel spl("_", false);
862 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
863 "drop_root_privileges failed");
865 InstallRequest invalidReq;
866 invalidReq.setAppId(app.getAppId());
867 invalidReq.setPkgId(app.getPkgId());
868 invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
870 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
873 RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded)
875 RUNNER_IGNORED_MSG("This test is turned off because multiuser feature is not supported by platform correctly");
877 TemporaryTestUser testUser("sm_test_25f_user_name", GUM_USERTYPE_NORMAL);
880 AppInstallHelper app("sm_test_25f");
882 ScopedProcessLabel spl("_", false);
883 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
884 "drop_root_privileges failed");
885 InstallRequest invalidReq;
886 invalidReq.setAppId(app.getAppId());
887 invalidReq.setPkgId(app.getPkgId());
888 invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
889 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
892 RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local)
894 const PolicyConfiguration::PrivVector allowedPrivs = {
899 const PolicyConfiguration::PrivVector someDeniedPrivs = {
905 TemporaryTestUser testUser("sm_test_25g_user_name", GUM_USERTYPE_NORMAL);
908 AppInstallHelperExt app("sm_test_25g", testUser.getUid());
909 app.createPrivateDir();
910 app.setInstallType(SM_APP_INSTALL_LOCAL);
911 app.addPrivileges(allowedPrivs);
913 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
914 "drop_root_privileges failed");
916 ScopedInstaller appInstall(app);
917 app.checkAfterInstall();
918 app.checkDeniedPrivileges(someDeniedPrivs);
920 app.checkAfterUninstall();
923 RUNNER_CHILD_TEST(security_manager_25h_local_path_global_install)
925 TemporaryTestUser testUser("sm_test_25h_user_name", GUM_USERTYPE_NORMAL);
928 AppInstallHelper app("sm_test_25h", testUser.getUid());
929 app.createPrivateDir();
931 InstallRequest invalidReq;
932 invalidReq.setAppId(app.getAppId());
933 invalidReq.setPkgId(app.getPkgId());
934 invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
935 invalidReq.setInstallType(SM_APP_INSTALL_GLOBAL);
936 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
939 RUNNER_CHILD_TEST(security_manager_25i_local_path_preloaded_install)
941 TemporaryTestUser testUser("sm_test_25i_user_name", GUM_USERTYPE_NORMAL);
944 AppInstallHelper app("sm_test_25i", testUser.getUid());
945 app.createPrivateDir();
947 InstallRequest invalidReq;
948 invalidReq.setAppId(app.getAppId());
949 invalidReq.setPkgId(app.getPkgId());
950 invalidReq.addPath(app.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
951 invalidReq.setInstallType(SM_APP_INSTALL_PRELOADED);
952 Api::install(invalidReq, (lib_retcode)SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
955 RUNNER_CHILD_TEST(security_manager_25j_global_path_local_install)
957 TemporaryTestUser testUser("sm_test_25j_user_name", GUM_USERTYPE_NORMAL);
960 AppInstallHelper appLocal("sm_test_25j", testUser.getUid());
962 AppInstallHelper appGlobal("sm_test_25");
963 appGlobal.createPrivateDir();
965 RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(testUser.getUid(), testUser.getGid()) == 0,
966 "drop_root_privileges failed");
968 InstallRequest invalidReq;
969 invalidReq.setAppId(appLocal.getAppId());
970 invalidReq.setPkgId(appLocal.getPkgId());
971 invalidReq.addPath(appGlobal.getPrivateDir(), SECURITY_MANAGER_PATH_RW);
972 invalidReq.setInstallType(SM_APP_INSTALL_LOCAL);
974 Api::install(invalidReq, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
977 RUNNER_CHILD_TEST(security_manager_26_hybrid_pkg_uninstall_artifacts_check)
979 TemporaryTestUser testUser("sm_test_26_user_name", GUM_USERTYPE_NORMAL);
982 const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY};
984 AppInstallHelperExt app1("sm_test_26_1", "sm_test_26", testUser.getUid());
985 app1.addPrivileges(allowedPrivs);
988 AppInstallHelperExt app2("sm_test_26_2", "sm_test_26", testUser.getUid());
989 app2.addPrivileges(allowedPrivs);
993 ScopedInstaller appInstall1(app1);
994 ScopedInstaller appInstall2(app2);
995 app1.checkAfterInstall();
996 app2.checkAfterInstall();
999 app1.checkAfterUninstall(false);
1000 app2.checkAfterUninstall();