2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
21 #include <sys/types.h>
23 #include <unordered_set>
27 #include <app_install_helper.h>
28 #include <cynara_test_admin.h>
29 #include <dpl/test/test_runner.h>
31 #include <passwd_access.h>
32 #include <policy_configuration.h>
33 #include <privilege_info.h>
34 #include <scoped_label.h>
35 #include <scoped_installer.h>
37 #include <sm_commons.h>
38 #include <sm_policy_request.h>
39 #include <sm_request.h>
40 #include <synchronization_pipe.h>
41 #include <temp_test_user.h>
42 #include <tests_common.h>
44 using namespace SecurityManagerTest;
46 static const std::vector<std::string> PM_MANY_APPS = {
47 "security_manager_pm_app_1",
48 "security_manager_pm_app_2",
49 "security_manager_pm_app_3",
50 "security_manager_pm_app_4",
51 "security_manager_pm_app_5"
54 const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
55 const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
56 const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
57 const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
59 static const std::map<std::string, struct app_attributes> PM_MANY_APPS_PKGS = {
60 {"security_manager_pm_app_1", {"security_manager_pm_pkg_1", "2.1"}},
61 {"security_manager_pm_app_2", {"security_manager_pm_pkg_2", "3.0"}},
62 {"security_manager_pm_app_3", {"security_manager_pm_pkg_3", "2.1.1"}},
63 {"security_manager_pm_app_4", {"security_manager_pm_pkg_4", "3.1"}},
64 {"security_manager_pm_app_5", {"security_manager_pm_pkg_5", "2.2"}},
65 {PRIVILEGE_MANAGER_APP, {PRIVILEGE_MANAGER_PKG, "3.0"}}
68 static const std::vector<privileges_t> PM_MANY_APPS_PRIVILEGES = {
70 "http://tizen.org/privilege/internet",
71 "http://tizen.org/privilege/display"
74 "http://tizen.org/privilege/telephony",
75 "http://tizen.org/privilege/datasharing"
78 "http://tizen.org/privilege/content.write",
79 "http://tizen.org/privilege/led",
80 "http://tizen.org/privilege/email"
83 "http://tizen.org/privilege/led",
84 "http://tizen.org/privilege/email",
85 "http://tizen.org/privilege/telephony",
86 "http://tizen.org/privilege/datasharing"
89 "http://tizen.org/privilege/internet",
90 "http://tizen.org/privilege/display",
91 "http://tizen.org/privilege/led",
92 "http://tizen.org/privilege/email"
96 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
98 static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
100 InstallRequest request;
101 request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
102 request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
104 request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
106 request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
107 Api::install(request);
108 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
111 RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
114 const std::string username("sm_test_10_user_name");
115 unsigned int privileges_count = 0;
117 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
118 std::map<std::string, std::set<std::string>> apps2PrivsMap;
120 for (unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
121 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
122 PM_MANY_APPS.at(i), std::set<std::string>(
123 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
124 PM_MANY_APPS_PRIVILEGES.at(i).end())));
125 privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size();
128 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
129 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
131 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
134 SynchronizationPipe pipe;
137 if (pid != 0) { //parent process
138 pipe.claimParentEp();
139 TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
142 for(const auto &user : users2AppsMap) {
143 for(const auto &app : user.second) {
144 InstallRequest requestInst;
145 requestInst.setAppId(app.first.c_str());
147 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
148 } catch (const std::out_of_range &e) {
149 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
151 requestInst.setUid(tmpUser.getUid());
153 for (const auto &privilege : app.second) {
154 requestInst.addPrivilege(privilege.c_str());
157 Api::install(requestInst);
160 //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
163 //Start child process
168 } else { //child process
172 uid_t uid; gid_t gid;
173 PasswdAccess::allUser(username, uid, gid);
174 std::string uidStr = std::to_string(uid);
175 register_current_process_as_privilege_manager(uid);
176 int result = drop_root_privileges(uid, gid);
177 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
179 std::vector<PolicyEntry> policyEntries;
181 Api::getPolicy(filter, policyEntries);
183 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
184 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
186 for (const auto &policyEntry : policyEntries) {
187 std::string user = policyEntry.getUser();
188 std::string app = policyEntry.getAppId();
189 std::string privilege = policyEntry.getPrivilege();
191 RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user);
194 std::set<std::string>::iterator tmp = users2AppsMap.at(username).at(app).find(privilege);
195 if (tmp == users2AppsMap.at(username).at(app).end())
196 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
197 } catch (const std::out_of_range &e) {
198 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
205 RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
208 const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
209 unsigned int privileges_count = 0;
211 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
212 std::map<std::string, std::set<std::string>> apps2PrivsMap;
214 for (const auto &username : usernames) {
215 //Only entries for one of the users will be listed
216 privileges_count = 0;
218 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
219 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
220 PM_MANY_APPS.at(i), std::set<std::string>(
221 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
222 PM_MANY_APPS_PRIVILEGES.at(i).end())));
223 privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
226 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
229 users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
230 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
235 SynchronizationPipe pipe;
238 if (pid != 0) { //parent process
239 pipe.claimParentEp();
240 std::vector<TemporaryTestUser> users = {
241 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
242 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
245 users.at(0).create();
246 users.at(1).create();
248 //Install apps for both users
249 for(const auto &user : users) {
250 for(const auto &app : users2AppsMap.at(user.getUserName())) {
251 InstallRequest requestInst;
252 requestInst.setAppId(app.first.c_str());
254 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
255 } catch (const std::out_of_range &e) {
256 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
258 requestInst.setUid(user.getUid());
260 for (const auto &privilege : app.second) {
261 requestInst.addPrivilege(privilege.c_str());
264 Api::install(requestInst);
267 //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
274 for (auto &user : users)
277 } else { //child process
281 uid_t uid; gid_t gid;
282 PasswdAccess::allUser(usernames.at(0), uid, gid);
283 std::string uidStr = std::to_string(uid);
284 register_current_process_as_privilege_manager(uid);
286 //change uid to normal user
288 int result = drop_root_privileges(uid, gid);
289 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
291 std::vector<PolicyEntry> policyEntries;
294 //this call should only return privileges belonging to the current uid
295 Api::getPolicy(filter, policyEntries);
297 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
298 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
300 for (const auto &policyEntry : policyEntries) {
301 std::string user = policyEntry.getUser();
302 std::string app = policyEntry.getAppId();
303 std::string privilege = policyEntry.getPrivilege();
305 RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user);
308 std::set<std::string>::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege);
309 if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end())
310 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
311 } catch (const std::out_of_range &e) {
312 RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what());
319 RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
321 std::vector<PolicyEntry> oldPolicyVec;
322 Api::getPolicy(PolicyEntry(), oldPolicyVec);
323 std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
326 const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
327 unsigned int privileges_count = oldPolicyVec.size();
329 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
330 std::map<std::string, std::set<std::string>> apps2PrivsMap;
332 for (const auto &username : usernames) {
333 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
334 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
335 PM_MANY_APPS.at(i), std::set<std::string>(
336 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
337 PM_MANY_APPS_PRIVILEGES.at(i).end())));
338 privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
341 users2AppsMap.insert(std::make_pair(username, apps2PrivsMap));
344 users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP,
345 std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
347 privileges_count += 2;
350 SynchronizationPipe pipe;
353 if (pid != 0) { //parent process
354 pipe.claimParentEp();
355 std::vector<TemporaryTestUser> users = {
356 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
357 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
360 users.at(0).create();
361 users.at(1).create();
362 //Install apps for both users
363 for(const auto &user : users) {
364 for(const auto &app : users2AppsMap.at(user.getUserName())) {
365 InstallRequest requestInst;
366 requestInst.setAppId(app.first.c_str());
368 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
369 } catch (const std::out_of_range &e) {
370 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
372 requestInst.setUid(user.getUid());
374 for (const auto &privilege : app.second) {
375 requestInst.addPrivilege(privilege.c_str());
378 Api::install(requestInst);
381 //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
384 //Start child process
388 for (auto &user : users)
391 } else { //child process
397 PasswdAccess::allUser(usernames.at(1), adminUid, adminGid);
398 std::string adminUidStr = std::to_string(adminUid);
399 uid_t normalUid = PasswdAccess::uid(usernames.at(0));
400 std::string normalUidStr = std::to_string(normalUid);
401 register_current_process_as_privilege_manager(adminUid, true);
403 //change uid to normal user
404 int result = drop_root_privileges(adminUid, adminGid);
405 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
408 std::vector<PolicyEntry> policyEntries;
409 //this call should succeed as the calling user is privileged
410 Api::getPolicy(PolicyEntry(), policyEntries);
412 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
413 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
415 for (const auto &policyEntry : policyEntries) {
416 if (oldPolicySet.count(policyEntry))
419 std::string user = policyEntry.getUser();
420 std::string app = policyEntry.getAppId();
421 std::string privilege = policyEntry.getPrivilege();
423 RUNNER_ASSERT_MSG(user == normalUidStr || user == adminUidStr, "Unexpected user: " << user);
425 std::string uidStrToLook = user == normalUidStr ? usernames.at(0) : usernames.at(1);
428 std::set<std::string>::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege);
429 if (tmp == users2AppsMap.at(uidStrToLook).at(app).end())
430 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
431 } catch (const std::out_of_range &e) {
432 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
433 } catch (const std::invalid_argument& e) {
434 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
442 RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
445 const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
447 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
448 std::map<std::string, std::set<std::string>> apps2PrivsMap;
450 for (const auto &username : usernames) {
452 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
453 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
454 PM_MANY_APPS.at(i), std::set<std::string>(
455 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
456 PM_MANY_APPS_PRIVILEGES.at(i).end())));
459 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
462 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
463 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
468 SynchronizationPipe sync[2];
469 std::vector<PolicyEntry> policyEntries;
473 if (pid[0] == 0) { //child #1 process
474 sync[0].claimChildEp();
477 uid_t uid; gid_t gid;
478 PasswdAccess::allUser(usernames.at(0), uid, gid);
479 register_current_process_as_privilege_manager(uid);
481 //change uid to normal user
482 int result = drop_root_privileges(uid, gid);
483 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
486 PolicyRequest policyRequest;
488 PolicyEntry policyEntry(
491 "http://tizen.org/privilege/internet"
493 policyEntry.setLevel("Deny");
495 policyRequest.addEntry(policyEntry);
496 policyEntry = PolicyEntry(
499 "http://tizen.org/privilege/display"
501 policyEntry.setLevel("Deny");
503 policyRequest.addEntry(policyEntry);
504 Api::sendPolicy(policyRequest);
507 } else { //parent process
508 sync[0].claimParentEp();
511 if (pid[1] == 0) { //child #2 process
512 sync[1].claimChildEp();
515 uid_t target_uid = PasswdAccess::uid(usernames.at(0));
518 PasswdAccess::allUser(usernames.at(1), my_uid, my_gid);
520 register_current_process_as_privilege_manager(my_uid);
522 //change uid to normal user
523 int result = drop_root_privileges(my_uid, my_gid);
524 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
526 PolicyEntry filter = PolicyEntry(
527 SECURITY_MANAGER_ANY,
528 std::to_string(target_uid),
532 //U2 requests contents of U1 privacy manager - should fail
533 Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
534 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
536 filter = PolicyEntry(
537 SECURITY_MANAGER_ANY,
538 SECURITY_MANAGER_ANY,
542 policyEntries.clear();
544 //U2 requests contents of ADMIN bucket - should fail
545 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
546 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
549 sync[1].claimParentEp();
550 std::vector<TemporaryTestUser> users = {
551 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
552 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false)
555 users.at(0).create();
556 users.at(1).create();
558 //Install apps for both users
559 for(const auto &user : users2AppsMap) {
561 for(const auto &app : user.second) {
562 InstallRequest requestInst;
563 requestInst.setAppId(app.first.c_str());
565 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
566 } catch (const std::out_of_range &e) {
567 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
569 requestInst.setUid(users.at(0).getUid());
571 for (const auto &privilege : app.second) {
572 requestInst.addPrivilege(privilege.c_str());
575 Api::install(requestInst);
578 //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
589 for (auto &user : users)
595 RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
598 const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
599 unsigned int privileges_count = 0;
601 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
602 std::map<std::string, std::set<std::string>> apps2PrivsMap;
604 for (const auto &username : usernames) {
606 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
607 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
608 PM_MANY_APPS.at(i), std::set<std::string>(
609 PM_MANY_APPS_PRIVILEGES.at(i).begin(),
610 PM_MANY_APPS_PRIVILEGES.at(i).end())));
611 privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
614 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
617 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
618 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
620 privileges_count += 2;
622 SynchronizationPipe pipe;
626 pipe.claimParentEp();
627 std::vector<TemporaryTestUser> users = {
628 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
629 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
632 users.at(0).create();
633 users.at(1).create();
635 //Install apps for both users
636 for(const auto &user : users) {
638 for(const auto &app : users2AppsMap.at(user.getUserName())) {
639 InstallRequest requestInst;
640 requestInst.setAppId(app.first.c_str());
642 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
643 } catch (const std::out_of_range &e) {
644 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
646 requestInst.setUid(user.getUid());
648 for (const auto &privilege : app.second) {
649 requestInst.addPrivilege(privilege.c_str());
652 Api::install(requestInst);
656 //Start child process
660 //switch back to root
661 for (auto &user : users)
664 } else { //child process
668 uid_t uid; gid_t gid;
669 PasswdAccess::allUser(usernames.at(1), uid, gid);
670 register_current_process_as_privilege_manager(uid, true);
672 //change uid to normal user
673 int result = drop_root_privileges(uid, gid);
674 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
676 PolicyRequest *policyRequest = new PolicyRequest();
678 std::vector<PolicyEntry> policyEntries;
679 //this call should succeed as the calling user is privileged
680 Api::getPolicyForSelf(filter, policyEntries);
682 unsigned int policyNum = policyEntries.size();
684 PolicyEntry policyEntry(
685 SECURITY_MANAGER_ANY,
686 SECURITY_MANAGER_ANY,
687 "http://tizen.org/privilege/internet"
689 policyEntry.setMaxLevel("Deny");
691 policyRequest->addEntry(policyEntry);
692 policyEntry = PolicyEntry(
693 SECURITY_MANAGER_ANY,
694 SECURITY_MANAGER_ANY,
695 "http://tizen.org/privilege/display"
697 policyEntry.setMaxLevel("Deny");
699 policyRequest->addEntry(policyEntry);
700 Api::sendPolicy(*policyRequest);
701 Api::getPolicyForAdmin(filter, policyEntries);
703 RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: "
704 << policyNum + 2 << " and is " << policyEntries.size());
706 delete policyRequest;
707 policyRequest = new PolicyRequest();
708 policyEntry = PolicyEntry(
709 SECURITY_MANAGER_ANY,
710 SECURITY_MANAGER_ANY,
711 "http://tizen.org/privilege/internet"
713 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
714 policyRequest->addEntry(policyEntry);
716 policyEntry = PolicyEntry(
717 SECURITY_MANAGER_ANY,
718 SECURITY_MANAGER_ANY,
719 "http://tizen.org/privilege/display"
721 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
723 policyRequest->addEntry(policyEntry);
724 Api::sendPolicy(*policyRequest);
726 policyEntries.clear();
727 Api::getPolicyForAdmin(filter, policyEntries);
728 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
730 delete policyRequest;
737 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
739 AppInstallHelper app("security_manager_15_update");
740 const char *const update_privilege = "http://tizen.org/privilege/led";
741 const char *const check_start_bucket = "ADMIN";
742 const std::string username("sm_test_15_username");
743 PolicyRequest addPolicyRequest;
744 CynaraTestAdmin::Admin admin;
745 ScopedProcessLabel keepLabel;
756 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
758 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
761 app.createInstallDir();
763 inst.setAppId(app.getAppId());
764 inst.setPkgId(app.getPkgId());
768 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
769 if (pid != 0)//parent process
771 FdUniquePtr pipeptr(pipefd+1);
774 register_current_process_as_privilege_manager(user.getUid(), true);
777 msg.uid = user.getUid();
778 msg.gid = user.getGid();
780 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
781 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
785 admin.adminCheck(check_start_bucket, false, app.generateAppLabel().c_str(),
786 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
790 FdUniquePtr pipeptr(pipefd);
793 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
794 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
796 //become admin privacy manager manager
797 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
798 result = drop_root_privileges(msg.uid, msg.gid);
799 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
801 PolicyEntry entry(app.getAppId(), std::to_string(static_cast<int>(msg.uid)), update_privilege);
802 entry.setMaxLevel("Allow");
804 addPolicyRequest.addEntry(entry);
805 Api::sendPolicy(addPolicyRequest);
810 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
812 const char *const update_other_app_id = "security_manager_15_update_other_app_id";
813 const char *const update_other_pkg_id = "security_manager_15_update_other_pkg_id";
814 const char *const update_privilege = "http://tizen.org/privilege/led";
815 const char *const check_start_bucket = "ADMIN";
816 const std::string username("sm_test_15_username");
817 PolicyRequest addPolicyRequest;
818 CynaraTestAdmin::Admin admin;
819 ScopedProcessLabel keepLabel;
830 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
832 TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
836 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
837 if (pid != 0)//parent process
839 FdUniquePtr pipeptr(pipefd+1);
842 register_current_process_as_privilege_manager(user.getUid(), true);
845 msg.uid = user.getUid();
846 msg.gid = user.getGid();
848 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
849 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
853 admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_other_app_id, update_other_pkg_id).c_str(),
854 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
858 FdUniquePtr pipeptr(pipefd);
861 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
862 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
864 //become admin privacy manager manager
865 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
866 result = drop_root_privileges(msg.uid, msg.gid);
867 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
869 // use wildcard as appId
870 PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
871 entry.setMaxLevel("Allow");
873 addPolicyRequest.addEntry(entry);
874 Api::sendPolicy(addPolicyRequest);
879 RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
881 AppInstallHelper app("security_manager_15_update");
882 const char *const update_privilege = "http://tizen.org/privilege/led";
883 const char *const check_start_bucket = "";
884 const std::string username("sm_test_15_username");
885 PolicyRequest addPolicyRequest;
886 CynaraTestAdmin::Admin admin;
887 ScopedProcessLabel keepLabel;
898 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
900 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
903 app.createInstallDir();
905 inst.setAppId(app.getAppId());
906 inst.setPkgId(app.getPkgId());
910 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
911 if (pid != 0)//parent process
913 FdUniquePtr pipeptr(pipefd+1);
916 register_current_process_as_privilege_manager(user.getUid(), false);
919 msg.uid = user.getUid();
920 msg.gid = user.getGid();
922 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
923 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
927 admin.adminCheck(check_start_bucket, false, app.generateAppLabel().c_str(),
928 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
932 FdUniquePtr pipeptr(pipefd);
935 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
936 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
938 //become admin privacy manager manager
939 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
940 result = drop_root_privileges(msg.uid, msg.gid);
941 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
943 PolicyEntry entry(app.getAppId(), std::to_string(static_cast<int>(msg.uid)), update_privilege);
944 entry.setLevel("Allow");
946 addPolicyRequest.addEntry(entry);
947 Api::sendPolicy(addPolicyRequest);
952 RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
954 const std::string username("sm_test_16_user_cynara_policy");
955 CynaraTestAdmin::Admin admin;
965 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
967 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
971 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
972 if (pid != 0)//parent process
974 FdUniquePtr pipeptr(pipefd+1);
978 msg.uid = user.getUid();
979 msg.gid = user.getGid();
981 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
982 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
990 std::string allow_policy, deny_policy;
992 FdUniquePtr pipeptr(pipefd);
995 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
996 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
998 //become admin privacy manager manager
999 result = drop_root_privileges(msg.uid, msg.gid);
1000 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1002 // 3 should be there when ask-user is installed
1003 ret = security_manager_policy_levels_get(&levels, &count);
1005 RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
1006 "Invlid return code: " << ret);
1008 RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast<int>(count));
1010 deny_policy = std::string(levels[0]);
1011 allow_policy = std::string(levels[count-1]);
1013 // first should always be Deny
1014 RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
1015 "Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
1017 // last should always be Allow
1018 RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
1019 "Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
1021 security_manager_policy_levels_free(levels, count);
1026 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
1028 AppInstallHelper app("security_manager_17_update");
1029 const char *const update_privilege = "http://tizen.org/privilege/led";
1030 const char *const check_start_bucket = "";
1031 const std::string username("sm_test_17_username");
1032 PolicyRequest addPolicyRequest;
1033 CynaraTestAdmin::Admin admin;
1044 ScopedProcessLabel keepLabel;
1046 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1047 RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
1049 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
1052 app.createInstallDir();
1053 InstallRequest inst;
1054 inst.setAppId(app.getAppId());
1055 inst.setPkgId(app.getPkgId());
1059 RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed");
1060 if (pid[0] != 0)//parent process
1062 FdUniquePtr pipeptr(pipefd+1);
1065 register_current_process_as_privilege_manager(user.getUid(), false);
1067 //send info to child
1068 msg.uid = user.getUid();
1069 msg.gid = user.getGid();
1071 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1072 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1076 admin.adminCheck(check_start_bucket, false, app.generateAppLabel().c_str(),
1077 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
1080 if (pid[1] != 0)//parent process
1082 FdUniquePtr pipeptr(pipefd2+1);
1085 //send info to child
1086 msg.uid = user.getUid();
1087 msg.gid = user.getGid();
1089 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
1090 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1094 admin.adminCheck(check_start_bucket, false, app.generateAppLabel().c_str(),
1095 std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
1099 FdUniquePtr pipeptr(pipefd2);
1102 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
1103 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1105 result = drop_root_privileges(msg.uid, msg.gid);
1106 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1108 // delete this entry
1109 PolicyRequest deletePolicyRequest;
1110 PolicyEntry deleteEntry(app.getAppId(), std::to_string(static_cast<int>(msg.uid)), update_privilege);
1111 deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
1113 deletePolicyRequest.addEntry(deleteEntry);
1114 Api::sendPolicy(deletePolicyRequest);
1120 FdUniquePtr pipeptr(pipefd);
1123 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1124 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1126 //become admin privacy manager manager
1127 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1128 result = drop_root_privileges(msg.uid, msg.gid);
1129 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1131 PolicyEntry entry(app.getAppId(), std::to_string(static_cast<int>(msg.uid)), update_privilege);
1132 entry.setLevel("Allow");
1134 addPolicyRequest.addEntry(entry);
1135 Api::sendPolicy(addPolicyRequest);
1140 RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
1142 const std::string username("sm_test_17_user_name");
1147 unsigned int privileges_count;
1153 ScopedProcessLabel keepLabel;
1155 RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
1158 RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
1159 if (pid != 0)//parent process
1161 FdUniquePtr pipeptr(pipefd+1);
1164 TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
1167 unsigned int privileges_count = 0;
1169 for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
1170 InstallRequest requestInst;
1171 requestInst.setAppId(PM_MANY_APPS[i].c_str());
1172 requestInst.setPkgId(PM_MANY_APPS_PKGS.at(PM_MANY_APPS[i]).package.c_str());
1173 requestInst.setUid(user.getUid());
1175 for (auto &priv : PM_MANY_APPS_PRIVILEGES.at(i)) {
1176 requestInst.addPrivilege(priv.c_str());
1179 Api::install(requestInst);
1180 privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size();
1183 register_current_process_as_privilege_manager(user.getUid(), false);
1184 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
1187 //send info to child
1188 msg.uid = user.getUid();
1189 msg.gid = user.getGid();
1190 msg.privileges_count = privileges_count;
1192 ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
1193 RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
1199 FdUniquePtr pipeptr(pipefd);
1202 ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
1203 RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
1205 //become admin privacy manager manager
1206 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
1207 result = drop_root_privileges(msg.uid, msg.gid);
1208 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1210 // filter by privilege
1211 std::vector<PolicyEntry> policyEntries;
1212 PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
1213 Api::getPolicy(filter, policyEntries);
1215 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1216 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1218 // filter by other privilege
1219 policyEntries.clear();
1220 PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
1221 Api::getPolicy(filter2, policyEntries);
1223 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1224 RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
1227 policyEntries.clear();
1228 PolicyEntry filter3(PM_MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
1229 Api::getPolicy(filter3, policyEntries);
1231 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1232 RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
1236 RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove)
1238 TemporaryTestUser user("sm_test_18_username", GUM_USERTYPE_NORMAL);
1241 AppInstallHelper helper("sm_test_18",
1243 helper.addPrivileges({
1244 "http://tizen.org/privilege/telephony",
1245 "http://tizen.org/privilege/led",
1246 "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
1247 "http://tizen.org/privilege/account.read",
1248 "http://tizen.org/privilege/healthinfo"
1251 PolicyEntry filter (helper.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
1252 std::vector<PolicyEntry> policyEntries;
1255 ScopedInstaller installer(helper);
1256 unsigned int privacyNum = 0;
1257 for (auto &priv : helper.getPrivileges()) {
1258 if (1 == privilege_info_is_privacy(priv.c_str()))
1262 Api::getPolicy(filter, policyEntries);
1264 RUNNER_ASSERT_MSG(policyEntries.size() == helper.getPrivileges().size(),
1265 "Number of policy entries doesn't match; should be " << helper.getPrivileges().size() << " but is " << policyEntries.size());
1267 if (PolicyConfiguration::getIsAskuserEnabled() ) {
1268 unsigned int privacyActNum = 0;
1269 for (auto &entry : policyEntries)
1270 if (1 == privilege_info_is_privacy(entry.getPrivilege().c_str())) {
1271 RUNNER_ASSERT_MSG(entry.getCurrentLevel() == "Ask user", "Invalid policy setup; policy should be \"Ask user\" but is " << entry.getCurrentLevel());
1274 RUNNER_ASSERT_MSG(privacyActNum == privacyNum, "Should be " << privacyNum << " privacy privileges, but is " << privacyActNum);
1278 policyEntries.clear();
1280 Api::getPolicy(filter, policyEntries);
1282 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "After deinstallation, policy entries size should be 0, but is: " << policyEntries.size());
1285 RUNNER_CHILD_TEST(security_manager_19_privacy_manager_privacy_related_privileges_policy_hybrid)
1287 TemporaryTestUser user("sm_test_19_username", GUM_USERTYPE_NORMAL);
1290 AppInstallHelper helper1("sm_test_19_app_id_1",
1291 "sm_test_19_pkg_id",
1295 true); // hybrid package
1297 helper1.addPrivileges({
1298 "http://tizen.org/privilege/telephony",
1299 "http://tizen.org/privilege/led",
1300 "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
1301 "http://tizen.org/privilege/account.read",
1302 "http://tizen.org/privilege/healthinfo"
1305 AppInstallHelper helper2("sm_test_19_app_id_2",
1306 "sm_test_19_pkg_id",
1310 true); // hybrid package
1312 helper2.addPrivileges({
1313 "http://tizen.org/privilege/telephony",
1314 "http://tizen.org/privilege/led",
1315 "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
1318 std::vector<PolicyEntry> policyEntries;
1320 PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
1322 ScopedInstaller installer1(helper1);
1323 ScopedInstaller installer2(helper2);
1325 unsigned int privacyNum1 = 0, privacyNum2 = 0;
1327 for (auto &priv : helper1.getPrivileges()) {
1328 if (1 == privilege_info_is_privacy(priv.c_str()))
1332 for (auto &priv : helper2.getPrivileges()) {
1333 if (1 == privilege_info_is_privacy(priv.c_str()))
1337 Api::getPolicy(filter, policyEntries);
1339 if (PolicyConfiguration::getIsAskuserEnabled() ) {
1340 unsigned int privacyAct1 = 0, privacyAct2 = 0;
1341 for (auto &entry : policyEntries) {
1342 RUNNER_ASSERT_MSG(entry.getAppId() == helper1.getAppId() || entry.getAppId() == helper2.getAppId(),
1343 "Invalid appId: should be either " << helper1.getAppId() << " or " << helper2.getAppId() << " but is " << entry.getAppId());
1344 if (1 == privilege_info_is_privacy(entry.getPrivilege().c_str())) {
1345 RUNNER_ASSERT_MSG(entry.getCurrentLevel() == "Ask user",
1346 "Invalid policy setup; policy should be \"Ask user\" but is " << entry.getCurrentLevel());
1347 if (entry.getAppId() == helper1.getAppId())
1353 RUNNER_ASSERT_MSG(privacyNum1 == privacyAct1, "Should be " << privacyNum1 << " privacy privileges, but is " << privacyAct1);
1354 RUNNER_ASSERT_MSG(privacyNum2 == privacyAct2, "Should be " << privacyNum2 << " privacy privileges, but is " << privacyAct2);
1359 RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privielges_policy_admin_check)
1361 TemporaryTestUser user("sm_test_20_username", GUM_USERTYPE_NORMAL);
1364 AppInstallHelper helper("sm_test_20",
1367 helper.addPrivileges({
1368 "http://tizen.org/privilege/telephony",
1369 "http://tizen.org/privilege/led",
1370 "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
1371 "http://tizen.org/privilege/account.read",
1372 "http://tizen.org/privilege/healthinfo"
1375 ScopedInstaller installer(helper);
1377 if (PolicyConfiguration::getIsAskuserEnabled() ) {
1378 CynaraTestAdmin::Admin admin;
1380 admin.getPolicyTypeForDescription("Ask user", policyType);
1381 for (auto &priv : helper.getPrivileges()) {
1382 if (1 == privilege_info_is_privacy(priv.c_str())) {
1383 admin.adminCheck("", true, helper.generateAppLabel().c_str(), user.getUidString().c_str(), priv.c_str(), policyType, nullptr);