src/security-manager-tests/test_cases_app_policy.cpp

   1 /*
   2  * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  *    Licensed under the Apache License, Version 2.0 (the "License");
   5  *    you may not use this file except in compliance with the License.
   6  *    You may obtain a copy of the License at
   7  *
   8  *        http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *    Unless required by applicable law or agreed to in writing, software
  11  *    distributed under the License is distributed on an "AS IS" BASIS,
  12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *    See the License for the specific language governing permissions and
  14  *    limitations under the License.
  15  */
  16
  17 #include <string>
  18 #include <vector>
  19
  20 #include <app_install_helper.h>
  21 #include <pkg_privacy_privileges.h>
  22 #include <scoped_installer.h>
  23 #include <sm_api.h>
  24 #include <sm_commons.h>
  25 #include <temp_test_user.h>
  26 #include <tests_common.h>
  27
  28 #include <dpl/test/test_runner.h>
  29 #include <dpl/test/test_runner_child.h>
  30 #include <privilege_names.h>
  31
  32 using namespace PrivilegeNames;
  33
  34 const PrivilegeVector TEST_PRIVACY_PRIVILEGES = {
  35     Privilege(PRIV_CALLHISTORY_READ, Privilege::PRIVACY),
  36     Privilege(PRIV_ACCOUNT_READ, Privilege::PRIVACY),
  37     Privilege(PRIV_HEALTHINFO, Privilege::PRIVACY) };
  38
  39 using namespace SecurityManagerTest;
  40
  41 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_APP_POLICY)
  42
  43 RUNNER_CHILD_TEST(security_manager_ap1_app_policy_fetch_for_self) {
  44     TemporaryTestUser tmpUser("sm_test_ap1_user_name", GUM_USERTYPE_NORMAL, false);
  45     tmpUser.create();
  46
  47     AppInstallHelper app("sm_test_ap1", tmpUser.getUid());
  48     app.addPrivileges(TEST_PRIVACY_PRIVILEGES);
  49
  50     unsigned expectedPolicyCount = countPrivacyPrivileges(app.getPrivileges());
  51
  52     // If askuser is disabled there will be no privacy policy to expect
  53     RUNNER_ASSERT_MSG(isAskuserDisabled() || expectedPolicyCount > 0,
  54             "Application won't be installed with any privacy privileges, fix test");
  55
  56     PkgPrivacyPrivileges setupPrivacyPrivs(app);
  57     ScopedInstaller appInstall(app);
  58
  59     pid_t pid = fork();
  60     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
  61     if (pid != 0) { //parent process
  62         waitPid(pid);
  63     } else { //child process
  64         Api::setProcessLabel(app.getAppId());
  65         RUNNER_ASSERT_ERRNO_MSG(
  66                 drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
  67                 "drop_root_privileges failed");
  68
  69         std::string uidStr = tmpUser.getUidString();
  70         for (const auto &appPrivilege : app.getPrivileges()) {
  71             PolicyEntry filter(app.getAppId(), uidStr, appPrivilege);
  72
  73             std::vector<PolicyEntry> policyEntries;
  74             Api::getPolicyForSelf(filter, policyEntries);
  75             if (isAskuserDisabled()) {
  76                 //further checks do not make sense, but we've checked if app has permission to perform policy fetch
  77                 continue;
  78             }
  79
  80             RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
  81             RUNNER_ASSERT_MSG(policyEntries.size() == 1,
  82                     "Number of policies doesn't match - should be: " << expectedPolicyCount << " and is " << policyEntries.size());
  83
  84             for (const auto &policyEntry : policyEntries) {
  85                 std::string user = policyEntry.getUser();
  86                 std::string appId = policyEntry.getAppId();
  87                 std::string privilege = policyEntry.getPrivilege();
  88
  89                 RUNNER_ASSERT_MSG(appId == app.getAppId(),
  90                         "Policy returned for wrong appId," " expected : " << app.getAppId() << ", got : " << appId);
  91                 RUNNER_ASSERT_MSG(user == uidStr,
  92                         "Policy returned for wrong user," " expected : " << uidStr << ", got : " << user);
  93                 RUNNER_ASSERT_MSG(privilege == appPrivilege.getName(),
  94                         "Policy returned for wrong privilege," " expected : " << appPrivilege << ", got : " << privilege);
  95
  96             }
  97         }
  98         exit(0);
  99     }
 100 }
 101
 102 RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user) {
 103     TemporaryTestUser tmpUser("sm_test_ap2_1_user_name", GUM_USERTYPE_NORMAL, false);
 104     tmpUser.create();
 105     TemporaryTestUser tmpUser2("sm_test_ap2_2_user_name", GUM_USERTYPE_NORMAL, false);
 106     tmpUser2.create();
 107
 108     AppInstallHelper app("sm_test_ap2", tmpUser.getUid());
 109     app.addPrivileges(TEST_PRIVACY_PRIVILEGES);
 110
 111     PkgPrivacyPrivileges setupPrivacyPrivs(app);
 112     ScopedInstaller appInstall(app);
 113
 114     pid_t pid = fork();
 115     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
 116     if (pid != 0) { //parent process
 117         waitPid(pid);
 118     } else { //child process
 119         Api::setProcessLabel(app.getAppId());
 120         RUNNER_ASSERT_ERRNO_MSG(
 121                 drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
 122                 "drop_root_privileges failed");
 123
 124         std::string wrongUidStr = tmpUser2.getUidString();
 125         for (const auto &appPrivilege : app.getPrivileges()) {
 126             PolicyEntry filter(app.getAppId(), wrongUidStr, appPrivilege);
 127
 128             std::vector<PolicyEntry> policyEntries;
 129             Api::getPolicyForSelf(filter, policyEntries,
 130                     SECURITY_MANAGER_ERROR_ACCESS_DENIED);
 131         }
 132         exit(0);
 133     }
 134 }
 135
 136 RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_global) {
 137     TemporaryTestUser tmpUser("sm_test_ap3_1_user_name", GUM_USERTYPE_NORMAL, false);
 138     tmpUser.create();
 139     TemporaryTestUser tmpUser2("sm_test_ap3_2_user_name", GUM_USERTYPE_NORMAL, false);
 140     tmpUser2.create();
 141
 142     AppInstallHelper app("sm_test_ap3");
 143     app.setInstallType(SM_APP_INSTALL_GLOBAL);
 144     app.addPrivileges(TEST_PRIVACY_PRIVILEGES);
 145
 146     PkgPrivacyPrivileges setupPrivacyPrivs(app);
 147     ScopedInstaller appInstall(app);
 148
 149     pid_t pid = fork();
 150     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
 151     if (pid != 0) { //parent process
 152         waitPid(pid);
 153     } else { //child process
 154         Api::setProcessLabel(app.getAppId());
 155         RUNNER_ASSERT_ERRNO_MSG(
 156                 drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
 157                 "drop_root_privileges failed");
 158
 159         std::string wrongUidStr = tmpUser2.getUidString();
 160         for (const auto &appPrivilege : app.getPrivileges()) {
 161             PolicyEntry filter(app.getAppId(), wrongUidStr, appPrivilege);
 162
 163             std::vector<PolicyEntry> policyEntries;
 164             Api::getPolicyForSelf(filter, policyEntries,
 165                     SECURITY_MANAGER_ERROR_ACCESS_DENIED);
 166         }
 167         exit(0);
 168     }
 169 }
 170
 171 RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app) {
 172     TemporaryTestUser tmpUser("sm_test_ap3_user_name", GUM_USERTYPE_NORMAL, false);
 173     tmpUser.create();
 174
 175     AppInstallHelper app1("sm_test_ap3_1", tmpUser.getUid());
 176     app1.addPrivileges(TEST_PRIVACY_PRIVILEGES);
 177
 178     AppInstallHelper app2("sm_test_ap3_2", tmpUser.getUid());
 179     app2.addPrivileges(TEST_PRIVACY_PRIVILEGES);
 180
 181     PkgPrivacyPrivileges setupPrivacyPrivs1(app1);
 182     ScopedInstaller appInstall1(app1);
 183
 184     PkgPrivacyPrivileges setupPrivacyPrivs2(app2);
 185     ScopedInstaller appInstall2(app2);
 186
 187     pid_t pid = fork();
 188     RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
 189     if (pid != 0) { //parent process
 190         waitPid(pid);
 191     } else { //child process
 192         Api::setProcessLabel(app1.getAppId());
 193         RUNNER_ASSERT_ERRNO_MSG(
 194                 drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
 195                 "drop_root_privileges failed");
 196
 197         std::string uidStr = tmpUser.getUidString();
 198         for (const auto &appPrivilege : app1.getPrivileges()) {
 199             PolicyEntry filter(app2.getAppId(), uidStr, appPrivilege);
 200
 201             std::vector<PolicyEntry> policyEntries;
 202             Api::getPolicyForSelf(filter, policyEntries,
 203                     SECURITY_MANAGER_ERROR_ACCESS_DENIED);
 204         }
 205         exit(0);
 206     }
 207 }