src/security-manager-tests/test_cases_public_sharing.cpp

   1 /*
   2  * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd. All rights reserved
   3  *
   4  *    Licensed under the Apache License, Version 2.0 (the "License");
   5  *    you may not use this file except in compliance with the License.
   6  *    You may obtain a copy of the License at
   7  *
   8  *        http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *    Unless required by applicable law or agreed to in writing, software
  11  *    distributed under the License is distributed on an "AS IS" BASIS,
  12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *    See the License for the specific language governing permissions and
  14  *    limitations under the License.
  15  */
  16 #include <cstdint>
  17 #include <fcntl.h>
  18 #include <functional>
  19 #include <unordered_map>
  20 #include <string>
  21 #include <sys/smack.h>
  22 #include <sys/types.h>
  23 #include <unistd.h>
  24
  25 #include <dpl/test/test_runner.h>
  26 #include <sm_commons.h>
  27 #include <tests_common.h>
  28 #include <scoped_installer.h>
  29 #include <scoped_path_remover.h>
  30
  31 using namespace SecurityManagerTest;
  32
  33 namespace {
  34
  35 const uid_t OWNER_UID = 5001;
  36 const uid_t OWNER_GID = 100;
  37
  38 const std::vector<std::string> versions = {
  39         "2.4",
  40         "3.0"
  41 };
  42
  43 typedef std::vector<std::pair<std::string, std::string>> VersionCombinations;
  44
  45 VersionCombinations makeVersionCombinations(const std::vector<std::string> &versions) {
  46     VersionCombinations verCombs;
  47     for (const auto &version1 : versions)
  48         for (const auto &version2: versions)
  49             verCombs.push_back({version1, version2});
  50     return verCombs;
  51 }
  52
  53 const VersionCombinations versionCombinations = makeVersionCombinations(versions);
  54
  55 } //anonymous namespace
  56
  57 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SHARED_RO)
  58
  59 static void runAccessTest(uid_t uid, gid_t gid, const std::string &appId,
  60                           std::function<void(void)> f)
  61 {
  62     pid_t pid = fork();
  63
  64     RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "Fork failed");
  65     if (pid == 0) {
  66         setLauncherSecurityAttributes(uid, gid);
  67         Api::prepareAppCandidate();
  68         Api::prepareApp(appId);
  69         f();
  70         exit(0);
  71     } else {
  72
  73         waitPid(pid);
  74         Api::cleanupApp(appId, uid, pid);
  75     }
  76 }
  77
  78 /**
  79  * Check whether owner app have access to own sharedRO dir
  80  */
  81 RUNNER_CHILD_TEST(security_manager_76_owner_access)
  82 {
  83     for (const auto &version : versions) {
  84         AppInstallHelper app("sm_test_76a", OWNER_UID, version);
  85         app.createSharedRODir();
  86         ScopedInstaller sharedROPkgApp(app);
  87
  88         runAccessTest(OWNER_UID, OWNER_GID, app.getAppId(), [&]() {
  89             accessTest(app.getAppId(), app.getSharedRODir(), R_OK|W_OK|X_OK);
  90         });
  91     }
  92 }
  93
  94 RUNNER_CHILD_TEST(security_manager_7x_test)
  95 {
  96     AppInstallHelper ownerApp("owner_7x", OWNER_UID);
  97     ownerApp.createSharedRODir();
  98     ScopedInstaller ownerAppInstall(ownerApp);
  99
 100     AppInstallHelper otherApp("other_7x", OWNER_UID);
 101     otherApp.createSharedRODir();
 102     ScopedInstaller otherAppInstall(otherApp);
 103
 104     runAccessTest(OWNER_UID, OWNER_GID, ownerApp.getAppId(), [&]() {
 105         accessTest(ownerApp.getAppId(), ownerApp.getSharedRODir(), R_OK | W_OK | X_OK);
 106         accessTest(ownerApp.getAppId(), otherApp.getSharedRODir(), R_OK | X_OK);
 107         exit(0);
 108     });
 109 }
 110
 111 /**
 112  * Check whether app without shared RO path has access to shared RO dir and
 113  * no access to private directories of application from different package between
 114  * different version combinations
 115  */
 116 RUNNER_CHILD_TEST(security_manager_77_owner_other_access_version_combinations)
 117 {
 118     for (const auto &version : versionCombinations) {
 119         AppInstallHelper sharedApp("sm_test_77_shared", OWNER_UID, version.first);
 120         sharedApp.createSharedRODir();
 121         sharedApp.createPrivateDir();
 122         ScopedInstaller sharedAppInstall(sharedApp);
 123
 124         AppInstallHelper nonSharedApp("sm_test_77_nonshared", OWNER_UID, version.second);
 125         ScopedInstaller nonSharedAppInstall(nonSharedApp);
 126
 127         runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() {
 128             accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
 129         });
 130
 131         runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
 132             accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0);
 133             accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
 134         });
 135     }
 136 }
 137
 138 /**
 139  * Check whether app with shared RO dir has access to shared RO dir and no access to
 140  * private paths of an application from different package between different version
 141  * combinations
 142  */
 143 RUNNER_CHILD_TEST(security_manager_78_another_pkg_shared_ro_have_ro_access_to_shared_ro)
 144 {
 145     for (const auto &version : versionCombinations) {
 146         AppInstallHelper sharedApp1("sm_test_78_shared1", OWNER_UID, version.first);
 147         sharedApp1.createSharedRODir();
 148         sharedApp1.createPrivateDir();
 149         ScopedInstaller sharedAppInstall1(sharedApp1);
 150
 151         AppInstallHelper sharedApp2("sm_test_78_shared2", OWNER_UID, version.second);
 152         sharedApp2.createSharedRODir();
 153         sharedApp2.createPrivateDir();
 154         ScopedInstaller sharedApp2Install(sharedApp2);
 155
 156         runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
 157             accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
 158             accessTest(sharedApp1.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
 159             accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(), 0);
 160         });
 161
 162         runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
 163             accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|X_OK);
 164             accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
 165             accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(), 0);
 166         });
 167     }
 168 }
 169
 170 /**
 171  * Install two apps with shared RO dirs from one package and check accesses
 172  * to shared RO dirs with different versions
 173  */
 174 RUNNER_CHILD_TEST(security_manager_79a_same_pkg_shared_ro_have_ro_access_to_shared_ro)
 175 {
 176     const std::string sharedPkgName = "sm_test_79a";
 177
 178     for (const auto &version : versions) {
 179         AppInstallHelper sharedApp1("sm_test_79a_shared1", sharedPkgName, OWNER_UID, version);
 180         sharedApp1.createSharedRODir();
 181         ScopedInstaller sharedAppInstall1(sharedApp1);
 182
 183         AppInstallHelper sharedApp2("sm_test_79a_shared2", sharedPkgName, OWNER_UID, version);
 184         sharedApp2.createSharedRODir();
 185         ScopedInstaller sharedAppInstall2(sharedApp2);
 186
 187         runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
 188             accessTest(sharedApp1.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
 189         });
 190         runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
 191             accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), R_OK|W_OK|X_OK);
 192         });
 193     }
 194 }
 195
 196 /**
 197  * Install two apps with and without shared RO dirs from one package and check accesses
 198  * to shared RO dir with different versions
 199  */
 200 RUNNER_CHILD_TEST(security_manager_79b_same_pkg_shared_ro_have_ro_access_to_shared_ro)
 201 {
 202     const std::string sharedPkgName = "sm_test_79b";
 203
 204     for (const auto &version : versions) {
 205         AppInstallHelper sharedApp("sm_test_79b_shared1", sharedPkgName, OWNER_UID, version);
 206         sharedApp.createSharedRODir();
 207         ScopedInstaller sharedAppInstall(sharedApp);
 208
 209         AppInstallHelper nonSharedApp("sm_test_79b_shared2", sharedPkgName, OWNER_UID, version);
 210         ScopedInstaller nonSharedAppInstall(nonSharedApp);
 211
 212         runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
 213             accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
 214         });
 215     };
 216 }
 217
 218 /**
 219  * Check whether sharedRO application from same pkg have proper access to private dir
 220  * of other sharedRO app, then uninstall first app of sharedRO pkg application and check
 221  * if access to second sharedRO remains.
 222  */
 223 RUNNER_CHILD_TEST(security_manager_80_same_pkg_shared_ro_have_no_access_to_shared_ro_app_ro_dir)
 224 {
 225     std::string sharedPkgName = "sm_test_80";
 226     for (const auto &version : versions) {
 227         AppInstallHelper sharedApp1("sm_test_80_shared1", sharedPkgName, OWNER_UID, version);
 228         sharedApp1.createPrivateDir(1);
 229         sharedApp1.createSharedRODir(1);
 230         ScopedInstaller sharedAppInstall1(sharedApp1);
 231
 232         AppInstallHelper sharedApp2("sm_test_80_shared2", sharedPkgName, OWNER_UID, version);
 233         sharedApp2.createPrivateDir(2);
 234         sharedApp2.createSharedRODir(2);
 235         ScopedInstaller sharedAppInstall2(sharedApp2);
 236
 237         AppInstallHelper nonSharedApp("sm_test_80_nonshared", sharedPkgName, OWNER_UID, version);
 238         ScopedInstaller nonSharedAppInstall(nonSharedApp);
 239
 240         runAccessTest(OWNER_UID, OWNER_GID, sharedApp1.getAppId(), [&]() {
 241             accessTest(sharedApp1.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
 242         });
 243         runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
 244             accessTest(sharedApp2.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
 245         });
 246
 247         runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
 248             accessTest(nonSharedApp.getAppId(), sharedApp1.getPrivateDir(1), R_OK|W_OK|X_OK);
 249             accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
 250         });
 251
 252         sharedAppInstall1.uninstallApp();
 253
 254         runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
 255             accessTest(nonSharedApp.getAppId(), sharedApp2.getPrivateDir(2), R_OK|W_OK|X_OK);
 256         });
 257     }
 258 }
 259
 260 /**
 261  * Try to add valid sharedRO dir to an app and check all possible accesses to to it.
 262  */
 263 RUNNER_CHILD_TEST(security_manager_81_add_path_to_app_and_check_all)
 264 {
 265     for (const auto &version : versionCombinations) {
 266         AppInstallHelper sharedApp("sm_test_83_shared1", OWNER_UID, version.first);
 267         sharedApp.createPrivateDir();
 268         sharedApp.createSharedRODir();
 269         ScopedInstaller sharedAppInstall(sharedApp);
 270
 271         AppInstallHelper nonSharedApp("sm_test_83_nonshared", OWNER_UID, version.first);
 272         ScopedInstaller nonSharedAppInstall(nonSharedApp);
 273
 274         AppInstallHelper sharedApp2("sm_test_83_shared2", OWNER_UID, version.second);
 275         ScopedInstaller nonSharedAppInstall2(sharedApp2);
 276
 277         //Post install
 278         sharedApp2.createSharedRODir();
 279
 280         PathsRequest sharedRORequest;
 281         sharedRORequest.setPkgId(sharedApp2.getPkgId());
 282         sharedRORequest.addPath(sharedApp2.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
 283         sharedRORequest.setUid(sharedApp2.getUID());
 284         Api::registerPaths(sharedRORequest);
 285
 286         runAccessTest(OWNER_UID, OWNER_GID, sharedApp.getAppId(), [&]() {
 287             accessTest(sharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|W_OK|X_OK);
 288             accessTest(sharedApp.getAppId(), sharedApp.getPrivateDir(), R_OK|W_OK|X_OK);
 289         });
 290
 291         runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
 292             accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
 293             accessTest(sharedApp2.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
 294             accessTest(sharedApp2.getAppId(), sharedApp.getPrivateDir(), 0);
 295         });
 296
 297         runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
 298             accessTest(nonSharedApp.getAppId(), sharedApp.getSharedRODir(), R_OK|X_OK);
 299             accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
 300             accessTest(nonSharedApp.getAppId(), sharedApp.getPrivateDir(), 0);
 301         });
 302     }
 303 }
 304
 305 /**
 306  * Try to add path which does not belong to an app and check if operation fails.
 307  */
 308 RUNNER_CHILD_TEST(security_manager_82_add_invalid_path_to_app_and_check_all)
 309 {
 310     for (const auto &version : versionCombinations) {
 311         AppInstallHelper sharedApp("sm_test_84_shared", OWNER_UID, version.first);
 312         sharedApp.createSharedRODir();
 313         ScopedInstaller sharedAppInstall(sharedApp);
 314
 315         AppInstallHelper nonSharedApp("sm_test_84_nonshared", OWNER_UID, version.second);
 316         ScopedInstaller nonSharedAppInstall(nonSharedApp);
 317
 318         PathsRequest sharedRORequest;
 319         sharedRORequest.setPkgId(nonSharedApp.getPkgId());
 320         sharedRORequest.addPath(sharedApp.getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
 321         sharedRORequest.setUid(nonSharedApp.getUID());
 322         Api::registerPaths(sharedRORequest, SECURITY_MANAGER_ERROR_NOT_PATH_OWNER);
 323     }
 324 }
 325
 326 /**
 327  * Install and uninstall app and check accesses to uninstalled paths from other packages.
 328  */
 329 RUNNER_CHILD_TEST(security_manager_83_install_uninstall_shared_ro_app_and_check_cleaning)
 330 {
 331     for (const auto &verComb : versionCombinations) {
 332         AppInstallHelper sharedApp1("sm_test_85_shared1", OWNER_UID, verComb.first);
 333         sharedApp1.createSharedRODir();
 334         ScopedInstaller sharedAppInstall1(sharedApp1);
 335
 336         AppInstallHelper sharedApp2("sm_test_85_shared2", OWNER_UID, verComb.second);
 337         sharedApp2.createSharedRODir();
 338         ScopedInstaller sharedAppInstall2(sharedApp2);
 339
 340         AppInstallHelper nonSharedApp("sm_test_85_nonshared", OWNER_UID, verComb.second);
 341         ScopedInstaller nonSharedAppInstall(nonSharedApp);
 342
 343         sharedAppInstall1.uninstallApp();
 344         sharedApp1.removePaths();
 345
 346         runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
 347             accessTest(nonSharedApp.getAppId(), sharedApp1.getSharedRODir(), 0);
 348             accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(), R_OK|X_OK);
 349         });
 350
 351         runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
 352             accessTest(sharedApp2.getAppId(), sharedApp1.getSharedRODir(), 0);
 353             accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(), R_OK|W_OK|X_OK);
 354         });
 355     }
 356 }
 357
 358 /**
 359  * Install multiple SharedRO apps, uninstall one of them and check accesses
 360  * to sharedRO path within one package.
 361  */
 362 RUNNER_CHILD_TEST(security_manager_84_install_uninstall_shared_ro_two_apps_in_one_pkg)
 363 {
 364     std::string sharedPkgName = "sm_test_86";
 365
 366     for (const auto &version : versionCombinations) {
 367         AppInstallHelper nonSharedApp("sm_test_86_nonshared", OWNER_UID, version.first);
 368         ScopedInstaller nonSharedAppInstall(nonSharedApp);
 369
 370         // Apps from the same package
 371         AppInstallHelper sharedApp1("sm_test_86_shared1", sharedPkgName, OWNER_UID, version.second);
 372         sharedApp1.createSharedRODir(1);
 373         ScopedInstaller sharedAppInstall1(sharedApp1);
 374
 375         AppInstallHelper sharedApp2("sm_test_86_shared2", sharedPkgName, OWNER_UID, version.second);
 376         sharedApp2.createSharedRODir(2);
 377         ScopedInstaller sharedAppInstall2(sharedApp2);
 378
 379         sharedAppInstall1.uninstallApp();
 380
 381         runAccessTest(OWNER_UID, OWNER_GID, nonSharedApp.getAppId(), [&]() {
 382             accessTest(nonSharedApp.getAppId(), sharedApp2.getSharedRODir(2), R_OK|X_OK);
 383         });
 384
 385         runAccessTest(OWNER_UID, OWNER_GID, sharedApp2.getAppId(), [&]() {
 386             accessTest(sharedApp2.getAppId(), sharedApp2.getSharedRODir(2), R_OK|W_OK|X_OK);
 387         });
 388     }
 389 }