2 * Copyright (c) 2016-2019 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
19 #include <unordered_map>
21 #include <sys/smack.h>
22 #include <sys/types.h>
25 #include <dpl/test/test_runner.h>
26 #include <sm_commons.h>
27 #include <tests_common.h>
28 #include <scoped_installer.h>
29 #include <scoped_path_remover.h>
31 using namespace SecurityManagerTest;
35 const uid_t OWNER_UID = 5001;
36 const uid_t OWNER_GID = 100;
38 const std::vector<std::string> versions = {
43 typedef std::vector<std::pair<std::string, std::string>> VersionCombinations;
45 VersionCombinations makeVersionCombinations(const std::vector<std::string> &versions) {
46 VersionCombinations verCombs;
47 for (const auto &version1 : versions)
48 for (const auto &version2: versions)
49 verCombs.push_back({version1, version2});
53 const VersionCombinations versionCombinations = makeVersionCombinations(versions);
55 } //anonymous namespace
57 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SHARED_RO)
59 static void runAccessTest(uid_t uid, gid_t gid, const std::string &appId,
60 std::function<void(void)> f)
64 RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
66 setLauncherSecurityAttributes(uid, gid);
67 Api::prepareAppCandidate();
68 Api::prepareApp(appId.c_str());
74 Api::cleanupApp(appId.c_str(), uid, pid);
79 * Check whether owner app have access to own sharedRO dir
81 RUNNER_CHILD_TEST(security_manager_76_owner_access)
83 for (const auto &version : versions) {
84 AppInstallHelper app("sm_test_76a", OWNER_UID, version);
85 app.createSharedRODir();
86 ScopedInstaller sharedROPkgApp(app);
88 runAccessTest(OWNER_UID, OWNER_GID, app.getAppId(), [&]() {
89 accessTest(app.getAppId(), app.getSharedRODir(), R_OK|W_OK|X_OK);
94 RUNNER_CHILD_TEST(security_manager_7x_test)
96 AppInstallHelper ownerApp("owner_7x", OWNER_UID);
97 ownerApp.createSharedRODir();
98 ScopedInstaller ownerAppInstall(ownerApp);
100 AppInstallHelper otherApp("other_7x", OWNER_UID);
101 otherApp.createSharedRODir();
102 ScopedInstaller otherAppInstall(otherApp);
104 runAccessTest(OWNER_UID, OWNER_GID, ownerApp.getAppId(), [&]() {
105 accessTest(ownerApp.getAppId(), ownerApp.getSharedRODir(), R_OK | W_OK | X_OK);
106 accessTest(ownerApp.getAppId(), otherApp.getSharedRODir(), R_OK | X_OK);
112 * Check whether app without shared RO path has access to shared RO dir and
113 * no access to private directories of application from different package between
114 * different version combinations
116 RUNNER_CHILD_TEST(security_manager_77_owner_other_access_version_combinations)
118 for (const auto &version : versionCombinations) {
119 AppInstallHelper sharedApp("sm_test_77_shared", OWNER_UID, version.first);
120 sharedApp.createSharedRODir();
121 sharedApp.createPrivateDir();
122 ScopedInstaller sharedAppInstall(sharedApp);
124 AppInstallHelper nonSharedApp("sm_test_77_nonshared", OWNER_UID, version.second);
125 ScopedInstaller nonSharedAppInstall(nonSharedApp);
127 runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() {
128 accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
131 runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
132 accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0);
133 accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
139 * Check whether app with shared RO dir has access to shared RO dir and no access to
140 * private paths of an application from different package between different version
143 RUNNER_CHILD_TEST(security_manager_78_another_pkg_shared_ro_have_ro_access_to_shared_ro)
145 for (const auto &version : versionCombinations) {
146 AppInstallHelper sharedApp1("sm_test_78_shared1", OWNER_UID, version.first);
147 sharedApp1.createSharedRODir();
148 sharedApp1.createPrivateDir();
149 ScopedInstaller sharedAppInstall1(sharedApp1);
151 AppInstallHelper sharedApp2("sm_test_78_shared2", OWNER_UID, version.second);
152 sharedApp2.createSharedRODir();
153 sharedApp2.createPrivateDir();
154 ScopedInstaller sharedApp2Install(sharedApp2);
156 runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
157 accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
158 accessTest(sharedApp1.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
159 accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(), 0);
162 runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
163 accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|X_OK);
164 accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
165 accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(), 0);
171 * Install two apps with shared RO dirs from one package and check accesses
172 * to shared RO dirs with different versions
174 RUNNER_CHILD_TEST(security_manager_79a_same_pkg_shared_ro_have_ro_access_to_shared_ro)
176 const std::string sharedPkgName = "sm_test_79a";
178 for (const auto &version : versions) {
179 AppInstallHelper sharedApp1("sm_test_79a_shared1", sharedPkgName, OWNER_UID, version);
180 sharedApp1.createSharedRODir();
181 ScopedInstaller sharedAppInstall1(sharedApp1);
183 AppInstallHelper sharedApp2("sm_test_79a_shared2", sharedPkgName, OWNER_UID, version);
184 sharedApp2.createSharedRODir();
185 ScopedInstaller sharedAppInstall2(sharedApp2);
187 runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
188 accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
190 runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
191 accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
197 * Install two apps with and without shared RO dirs from one package and check accesses
198 * to shared RO dir with different versions
200 RUNNER_CHILD_TEST(security_manager_79b_same_pkg_shared_ro_have_ro_access_to_shared_ro)
202 const std::string sharedPkgName = "sm_test_79b";
204 for (const auto &version : versions) {
205 AppInstallHelper sharedApp("sm_test_79b_shared1", sharedPkgName, OWNER_UID, version);
206 sharedApp.createSharedRODir();
207 ScopedInstaller sharedAppInstall(sharedApp);
209 AppInstallHelper nonSharedApp("sm_test_79b_shared2", sharedPkgName, OWNER_UID, version);
210 ScopedInstaller nonSharedAppInstall(nonSharedApp);
212 runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
213 accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
219 * Check whether sharedRO application from same pkg have proper access to private dir
220 * of other sharedRO app, then uninstall first app of sharedRO pkg application and check
221 * if access to second sharedRO remains.
223 RUNNER_CHILD_TEST(security_manager_80_same_pkg_shared_ro_have_no_access_to_shared_ro_app_ro_dir)
225 std::string sharedPkgName = "sm_test_80";
226 for (const auto &version : versions) {
227 AppInstallHelper sharedApp1("sm_test_80_shared1", sharedPkgName, OWNER_UID, version);
228 sharedApp1.createPrivateDir(1);
229 sharedApp1.createSharedRODir(1);
230 ScopedInstaller sharedAppInstall1(sharedApp1);
232 AppInstallHelper sharedApp2("sm_test_80_shared2", sharedPkgName, OWNER_UID, version);
233 sharedApp2.createPrivateDir(2);
234 sharedApp2.createSharedRODir(2);
235 ScopedInstaller sharedAppInstall2(sharedApp2);
237 AppInstallHelper nonSharedApp("sm_test_80_nonshared", sharedPkgName, OWNER_UID, version);
238 ScopedInstaller nonSharedAppInstall(nonSharedApp);
240 runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
241 accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
243 runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
244 accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
247 runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
248 accessTest(nonSharedApp.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
249 accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
252 sharedAppInstall1.uninstallApp();
254 runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
255 accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
261 * Try to add valid sharedRO dir to an app and check all possible accesses to to it.
263 RUNNER_CHILD_TEST(security_manager_81_add_path_to_app_and_check_all)
265 for (const auto &version : versionCombinations) {
266 AppInstallHelper sharedApp("sm_test_83_shared1", OWNER_UID, version.first);
267 sharedApp.createPrivateDir();
268 sharedApp.createSharedRODir();
269 ScopedInstaller sharedAppInstall(sharedApp);
271 AppInstallHelper nonSharedApp("sm_test_83_nonshared", OWNER_UID, version.first);
272 ScopedInstaller nonSharedAppInstall(nonSharedApp);
274 AppInstallHelper sharedApp2("sm_test_83_shared2", OWNER_UID, version.second);
275 ScopedInstaller nonSharedAppInstall2(sharedApp2);
278 sharedApp2.createSharedRODir();
280 PathsRequest sharedRORequest;
281 sharedRORequest.setPkgId(sharedApp2.getPkgId());
282 sharedRORequest.addPath(sharedApp2.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
283 sharedRORequest.setUid(sharedApp2.getUID());
284 Api::registerPaths(sharedRORequest);
286 runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() {
287 accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
288 accessTest(sharedApp.getAppId(), sharedApp.getPrivateDir(), R_OK|W_OK|X_OK);
291 runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
292 accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
293 accessTest(sharedApp2.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
294 accessTest(sharedApp2.getAppId(), sharedApp.getPrivateDir(), 0);
297 runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
298 accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
299 accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
300 accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0);
306 * Try to add path which does not belong to an app and check if operation fails.
308 RUNNER_CHILD_TEST(security_manager_82_add_invalid_path_to_app_and_check_all)
310 for (const auto &version : versionCombinations) {
311 AppInstallHelper sharedApp("sm_test_84_shared", OWNER_UID, version.first);
312 sharedApp.createSharedRODir();
313 ScopedInstaller sharedAppInstall(sharedApp);
315 AppInstallHelper nonSharedApp("sm_test_84_nonshared", OWNER_UID, version.second);
316 ScopedInstaller nonSharedAppInstall(nonSharedApp);
318 PathsRequest sharedRORequest;
319 sharedRORequest.setPkgId(nonSharedApp.getPkgId());
320 sharedRORequest.addPath(sharedApp.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
321 sharedRORequest.setUid(nonSharedApp.getUID());
322 Api::registerPaths(sharedRORequest, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
327 * Install and uninstall app and check accesses to uninstalled paths from other packages.
329 RUNNER_CHILD_TEST(security_manager_83_install_uninstall_shared_ro_app_and_check_cleaning)
331 for (const auto &verComb : versionCombinations) {
332 AppInstallHelper sharedApp1("sm_test_85_shared1", OWNER_UID, verComb.first);
333 sharedApp1.createSharedRODir();
334 ScopedInstaller sharedAppInstall1(sharedApp1);
336 AppInstallHelper sharedApp2("sm_test_85_shared2", OWNER_UID, verComb.second);
337 sharedApp2.createSharedRODir();
338 ScopedInstaller sharedAppInstall2(sharedApp2);
340 AppInstallHelper nonSharedApp("sm_test_85_nonshared", OWNER_UID, verComb.second);
341 ScopedInstaller nonSharedAppInstall(nonSharedApp);
343 sharedAppInstall1.uninstallApp();
344 sharedApp1.removePaths();
346 runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
347 accessTest(nonSharedApp.getAppId(), sharedApp1.getSharedRODir(), 0);
348 accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
351 runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
352 accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), 0);
353 accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
359 * Install multiple SharedRO apps, uninstall one of them and check accesses
360 * to sharedRO path within one package.
362 RUNNER_CHILD_TEST(security_manager_84_install_uninstall_shared_ro_two_apps_in_one_pkg)
364 std::string sharedPkgName = "sm_test_86";
366 for (const auto &version : versionCombinations) {
367 AppInstallHelper nonSharedApp("sm_test_86_nonshared", OWNER_UID, version.first);
368 ScopedInstaller nonSharedAppInstall(nonSharedApp);
370 // Apps from the same package
371 AppInstallHelper sharedApp1("sm_test_86_shared1", sharedPkgName, OWNER_UID, version.second);
372 sharedApp1.createSharedRODir(1);
373 ScopedInstaller sharedAppInstall1(sharedApp1);
375 AppInstallHelper sharedApp2("sm_test_86_shared2", sharedPkgName, OWNER_UID, version.second);
376 sharedApp2.createSharedRODir(2);
377 ScopedInstaller sharedAppInstall2(sharedApp2);
379 sharedAppInstall1.uninstallApp();
381 runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
382 accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(2), R_OK|X_OK);
385 runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
386 accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(2), R_OK|W_OK|X_OK);