2 * Copyright (c) 2020 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
19 #include <tzplatform_config.h>
21 #include <dpl/test/test_runner.h>
22 #include <dpl/test/test_runner_child.h>
24 #include <scoped_installer.h>
25 #include <scoped_app_launcher.h>
26 #include <temp_test_user.h>
27 #include <app_install_helper_ext.h>
28 #include <sm_policy_request.h>
29 #include <privilege_names.h>
31 using namespace SecurityManagerTest;
32 using namespace PrivilegeNames;
36 const uid_t OWNER_ID = tzplatform_getuid(TZ_SYS_DEFAULT_USER);
38 void changePolicy(const AppInstallHelper& app, const std::string& priv, const std::string &level) {
39 PolicyRequest policyRequest;
40 PolicyEntry entry(app.getAppId(), std::to_string(app.getUID()), priv);
41 entry.setLevel(level);
42 policyRequest.addEntry(entry);
43 Api::sendPolicy(policyRequest);
46 } // namespace anonymous
48 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SMACK_PRIVILEGES)
50 RUNNER_CHILD_TEST(smack_privileges_10_no_privileges)
52 AppInstallHelperExt app("sm_test_sp_10_app");
54 ScopedInstaller appInstall(app);
55 app.checkAfterInstall();
56 app.checkDeniedPrivileges({PRIV_INTERNET});
57 app.checkSmackPrivileges({}, {PRIV_INTERNET});
59 ScopedAppLauncher appLaunch(app);
60 app.checkSmackPrivileges({}, {PRIV_INTERNET});
63 app.checkAfterUninstall();
66 RUNNER_CHILD_TEST(smack_privileges_20_internet_privilege)
68 AppInstallHelperExt app("sm_test_sp_20_app");
69 app.addPrivileges({PRIV_INTERNET});
71 ScopedInstaller appInstall(app);
72 app.checkAfterInstall();
74 // rules absent before app is launched
75 app.checkSmackPrivileges({}, {PRIV_INTERNET});
77 ScopedAppLauncher appLaunch(app);
78 app.checkSmackPrivileges({PRIV_INTERNET}, {});
80 // rules present after app is terminated
81 app.checkSmackPrivileges({PRIV_INTERNET}, {});
83 app.checkAfterUninstall();
84 // rules removed after app uninstallation
85 app.checkSmackPrivileges({}, {PRIV_INTERNET});
88 RUNNER_CHILD_TEST(smack_privileges_30_one_after_another)
90 AppInstallHelperExt app("sm_test_sp_30_app");
91 app.addPrivileges({PRIV_INTERNET});
93 ScopedInstaller appInstall(app);
94 app.checkAfterInstall();
96 // rules absent before app is launched
97 app.checkSmackPrivileges({}, {PRIV_INTERNET});
99 ScopedAppLauncher appLaunch(app);
100 app.checkSmackPrivileges({PRIV_INTERNET}, {});
102 // rules present after app is terminated
103 app.checkSmackPrivileges({PRIV_INTERNET}, {});
106 ScopedAppLauncher appLaunch(app);
107 app.checkSmackPrivileges({PRIV_INTERNET}, {});
109 // rules present after app is terminated
110 app.checkSmackPrivileges({PRIV_INTERNET}, {});
112 app.checkAfterUninstall();
113 // rules removed after app uninstallation
114 app.checkSmackPrivileges({}, {PRIV_INTERNET});
117 RUNNER_CHILD_TEST(smack_privileges_40_different_users_one_after_another)
119 TemporaryTestUser testUser("sm_test_40_user_name", GUM_USERTYPE_NORMAL, true);
122 AppInstallHelperExt app("sm_test_sp_40_app");
123 app.addPrivileges({PRIV_INTERNET});
126 ScopedInstaller appInstall(app);
127 app.checkAfterInstall();
129 app.checkSmackPrivileges({}, {PRIV_INTERNET});
133 app.setUidGid(OWNER_ID);
134 ScopedAppLauncher appLaunch(app);
135 app.checkSmackPrivileges({PRIV_INTERNET}, {});
138 app.checkSmackPrivileges({PRIV_INTERNET}, {});
142 app.setUidGid(testUser.getUid());
143 ScopedAppLauncher appLaunch(app);
144 app.checkSmackPrivileges({PRIV_INTERNET}, {});
147 app.checkSmackPrivileges({PRIV_INTERNET}, {});
149 app.checkAfterUninstall();
150 app.checkSmackPrivileges({}, {PRIV_INTERNET});
153 RUNNER_CHILD_TEST(smack_privileges_50_same_user_simultaneously)
155 AppInstallHelperExt app("sm_test_sp_50_app", OWNER_ID);
156 app.addPrivileges({PRIV_INTERNET});
158 ScopedInstaller appInstall(app);
159 app.checkAfterInstall();
161 app.checkSmackPrivileges({}, {PRIV_INTERNET});
163 ScopedAppLauncher appLaunch1(app);
164 app.checkSmackPrivileges({PRIV_INTERNET}, {});
166 ScopedAppLauncher appLaunch2(app);
167 app.checkSmackPrivileges({PRIV_INTERNET}, {});
169 app.checkSmackPrivileges({PRIV_INTERNET}, {});
171 app.checkSmackPrivileges({PRIV_INTERNET}, {});
173 app.checkAfterUninstall();
174 app.checkSmackPrivileges({}, {PRIV_INTERNET});
177 RUNNER_CHILD_TEST(smack_privileges_60_same_user_interchangeably)
179 AppInstallHelperExt app("sm_test_sp_60_app", OWNER_ID);
180 app.addPrivileges({PRIV_INTERNET});
183 ScopedInstaller appInstall(app);
184 app.checkAfterInstall();
186 app.checkSmackPrivileges({}, {PRIV_INTERNET});
189 auto appLaunch1 = std::make_unique<ScopedAppLauncher>(app);
191 app.checkSmackPrivileges({PRIV_INTERNET}, {});
194 auto appLaunch2 = std::make_unique<ScopedAppLauncher>(app);
196 app.checkSmackPrivileges({PRIV_INTERNET}, {});
201 app.checkSmackPrivileges({PRIV_INTERNET}, {});
206 app.checkAfterUninstall();
207 app.checkSmackPrivileges({}, {PRIV_INTERNET});
210 RUNNER_CHILD_TEST(smack_privileges_70_different_users_simultaneously)
212 TemporaryTestUser testUser("sm_test_70_user_name", GUM_USERTYPE_NORMAL, true);
215 AppInstallHelperExt app("sm_test_sp_70_app");
216 app.addPrivileges({PRIV_INTERNET});
219 ScopedInstaller appInstall(app);
220 app.checkAfterInstall();
222 app.checkSmackPrivileges({}, {PRIV_INTERNET});
226 app.setUidGid(OWNER_ID);
227 ScopedAppLauncher appLaunch(app);
228 app.checkSmackPrivileges({PRIV_INTERNET}, {});
232 app.setUidGid(testUser.getUid());
233 ScopedAppLauncher appLaunch(app);
235 // multiuser detected -> rules removed
236 app.checkSmackPrivileges({}, {PRIV_INTERNET});
238 app.checkSmackPrivileges({}, {PRIV_INTERNET});
240 app.checkSmackPrivileges({}, {PRIV_INTERNET});
244 app.setUidGid(OWNER_ID);
245 ScopedAppLauncher appLaunch(app);
248 app.checkSmackPrivileges({PRIV_INTERNET}, {});
251 app.checkAfterUninstall();
252 app.checkSmackPrivileges({}, {PRIV_INTERNET});
255 RUNNER_CHILD_TEST(smack_privileges_80_uninstall_local_while_running)
257 AppInstallHelperExt app("sm_test_sp_80_app");
258 app.addPrivileges({PRIV_INTERNET});
261 ScopedInstaller appInstall1(app);
262 app.checkAfterInstall();
264 app.checkSmackPrivileges({}, {PRIV_INTERNET});
267 AppInstallHelperExt app2("sm_test_sp_80_app", OWNER_ID);
268 auto appInstall2 = std::make_unique<ScopedInstaller>(app2);
269 app2.checkAfterInstall();
272 ScopedAppLauncher appLaunch(app);
273 app.checkSmackPrivileges({PRIV_INTERNET}, {});
278 app.checkSmackPrivileges({PRIV_INTERNET}, {});
280 app.checkAfterUninstall();
281 app.checkSmackPrivileges({}, {PRIV_INTERNET});
284 RUNNER_CHILD_TEST(smack_privileges_90_user_removal)
286 TemporaryTestUser testUser("sm_test_90_user_name", GUM_USERTYPE_NORMAL, true);
289 AppInstallHelperExt app("sm_test_sp_90_app", testUser.getUid());
290 app.addPrivileges({PRIV_INTERNET});
293 ScopedInstaller appInstall(app);
294 app.checkAfterInstall();
296 app.checkSmackPrivileges({}, {PRIV_INTERNET});
300 ScopedAppLauncher appLaunch(app);
301 app.checkSmackPrivileges({PRIV_INTERNET}, {});
304 app.checkSmackPrivileges({PRIV_INTERNET}, {});
309 app.checkAfterUninstall();
310 app.checkSmackPrivileges({}, {PRIV_INTERNET});
314 RUNNER_CHILD_TEST(smack_privileges_100_hybrid_app)
316 AppInstallHelperExt app("sm_test_sp_100_app");
317 app.addPrivileges({PRIV_INTERNET});
320 ScopedInstaller appInstall(app);
321 app.checkAfterInstall();
323 app.checkSmackPrivileges({}, {PRIV_INTERNET});
327 ScopedAppLauncher appLaunch(app);
328 app.checkSmackPrivileges({PRIV_INTERNET}, {});
331 app.checkSmackPrivileges({PRIV_INTERNET}, {});
333 app.checkAfterUninstall();
334 app.checkSmackPrivileges({}, {PRIV_INTERNET});
337 RUNNER_CHILD_TEST(smack_privileges_110_hybridity_change)
339 AppInstallHelperExt app("sm_test_sp_110_app");
340 app.addPrivileges({PRIV_INTERNET});
342 ScopedInstaller appInstall(app);
343 app.checkAfterInstall();
345 app.checkSmackPrivileges({}, {PRIV_INTERNET});
349 ScopedAppLauncher appLaunch(app);
350 app.checkSmackPrivileges({PRIV_INTERNET}, {});
353 app.checkSmackPrivileges({PRIV_INTERNET}, {});
358 InstallRequest request;
359 request.setAppId(app.getAppId());
360 request.setPkgId(app.getPkgId());
361 request.setUid(app.getUID());
363 for (const auto &priv: app.getPrivileges()) {
364 request.addPrivilege(priv);
366 Api::update(request);
368 app.checkSmackPrivileges({}, {PRIV_INTERNET});
372 ScopedAppLauncher appLaunch(app);
373 app.checkSmackPrivileges({PRIV_INTERNET}, {});
376 app.checkSmackPrivileges({PRIV_INTERNET}, {});
378 app.checkAfterUninstall();
379 app.checkSmackPrivileges({}, {PRIV_INTERNET});
382 RUNNER_CHILD_TEST(smack_privileges_120_policy_change_while_running)
384 TemporaryTestUser testUser("sm_test_120_user_name", GUM_USERTYPE_NORMAL, true);
387 AppInstallHelperExt app("sm_test_sp_120_app", testUser.getUid());
388 app.addPrivileges({PRIV_INTERNET});
390 ScopedInstaller appInstall(app);
391 app.checkAfterInstall();
393 app.checkSmackPrivileges({}, {PRIV_INTERNET});
397 ScopedAppLauncher appLaunch(app);
398 app.checkSmackPrivileges({PRIV_INTERNET}, {});
401 changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
403 app.checkSmackPrivileges({}, {PRIV_INTERNET});
406 changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
408 app.checkSmackPrivileges({PRIV_INTERNET}, {});
410 app.checkSmackPrivileges({PRIV_INTERNET}, {});
412 app.checkAfterUninstall();
413 app.checkSmackPrivileges({}, {PRIV_INTERNET});
416 RUNNER_CHILD_TEST(smack_privileges_130_different_users_and_policies)
418 TemporaryTestUser testUser("sm_test_130_user_name", GUM_USERTYPE_NORMAL, true);
421 AppInstallHelperExt app("sm_test_sp_130_app");
422 app.addPrivileges({PRIV_INTERNET});
425 ScopedInstaller appInstall(app);
426 app.checkAfterInstall();
428 app.checkSmackPrivileges({}, {PRIV_INTERNET});
430 // test user launch with denied policy
432 app.setUidGid(testUser.getUid());
433 changePolicy(app, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
434 ScopedAppLauncher appLaunch(app);
435 app.checkSmackPrivileges({}, {PRIV_INTERNET});
438 app.checkSmackPrivileges({}, {PRIV_INTERNET});
442 app.setUidGid(OWNER_ID);
443 ScopedAppLauncher appLaunch(app);
444 app.checkSmackPrivileges({PRIV_INTERNET}, {});
447 app.checkSmackPrivileges({PRIV_INTERNET}, {});
449 app.checkAfterUninstall();
450 app.checkSmackPrivileges({}, {PRIV_INTERNET});
453 RUNNER_CHILD_TEST(smack_privileges_140_two_users_sequence)
455 TemporaryTestUser testUser("sm_test_140_user_name", GUM_USERTYPE_NORMAL, true);
458 AppInstallHelperExt app("sm_test_sp_140_app");
459 app.addPrivileges({PRIV_INTERNET});
462 ScopedInstaller appInstall(app);
463 app.checkAfterInstall();
464 app.checkSmackPrivileges({}, {PRIV_INTERNET});
466 // owner launch -> allowed
467 app.setUidGid(OWNER_ID);
468 ScopedAppLauncher appLaunch1(app);
469 app.checkSmackPrivileges({PRIV_INTERNET}, {});
471 // test user launch -> denied
472 app.setUidGid(testUser.getUid());
473 ScopedAppLauncher appLaunch2(app);
474 app.checkSmackPrivileges({}, {PRIV_INTERNET});
476 // owner launch -> denied
477 app.setUidGid(OWNER_ID);
478 ScopedAppLauncher appLaunch3(app);
479 app.checkSmackPrivileges({}, {PRIV_INTERNET});
481 // test user launch -> still denied
482 app.setUidGid(testUser.getUid());
483 ScopedAppLauncher appLaunch4(app);
484 app.checkSmackPrivileges({}, {PRIV_INTERNET});
487 // test user launch -> allowed
488 app.setUidGid(testUser.getUid());
489 ScopedAppLauncher appLaunch5(app);
490 app.checkSmackPrivileges({PRIV_INTERNET}, {});
492 app.checkAfterUninstall();
493 app.checkSmackPrivileges({}, {PRIV_INTERNET});
496 RUNNER_CHILD_TEST(smack_privileges_150_independent_apps)
498 TemporaryTestUser testUser("sm_test_150_user_name", GUM_USERTYPE_NORMAL, true);
501 AppInstallHelperExt app1("sm_test_sp_150_app1", testUser.getUid());
502 AppInstallHelperExt app2("sm_test_sp_150_app2", testUser.getUid());
503 app1.addPrivileges({PRIV_INTERNET});
505 ScopedInstaller appInstall1(app1);
506 ScopedInstaller appInstall2(app2);
508 app1.checkAfterInstall();
509 app2.checkAfterInstall();
511 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
512 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
516 ScopedAppLauncher appLaunch1(app1);
517 ScopedAppLauncher appLaunch2(app2);
519 app1.checkSmackPrivileges({PRIV_INTERNET}, {});
520 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
523 app1.checkAfterUninstall();
524 app2.checkAfterUninstall();
525 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
526 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
529 RUNNER_CHILD_TEST(smack_privileges_160_nonhybrid_package)
531 TemporaryTestUser testUser("sm_test_160_user_name", GUM_USERTYPE_NORMAL, true);
534 constexpr char pkgPrefix[] = "sm_test_sp_160_pkg";
536 AppInstallHelperExt app1("sm_test_sp_160_app1", pkgPrefix, testUser.getUid());
537 app1.addPrivileges({PRIV_INTERNET});
539 AppInstallHelperExt app2("sm_test_sp_160_app2", pkgPrefix, testUser.getUid());
540 app2.addPrivileges({PRIV_INTERNET});
542 ScopedInstaller appInstall1(app1);
543 ScopedInstaller appInstall2(app2);
545 app1.checkAfterInstall();
546 app2.checkAfterInstall();
548 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
549 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
553 ScopedAppLauncher appLaunch1(app1);
554 ScopedAppLauncher appLaunch2(app2);
556 // both have access in non-hybrid package
557 app1.checkSmackPrivileges({PRIV_INTERNET}, {});
558 app2.checkSmackPrivileges({PRIV_INTERNET}, {});
560 // change policy of single app
561 changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
563 // both should lose the access
564 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
565 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
567 changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
569 app1.checkSmackPrivileges({PRIV_INTERNET}, {});
570 app2.checkSmackPrivileges({PRIV_INTERNET}, {});
573 app1.checkAfterUninstall();
574 app2.checkAfterUninstall();
575 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
576 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
580 RUNNER_CHILD_TEST(smack_privileges_170_hybrid_package)
582 TemporaryTestUser testUser("sm_test_170_user_name", GUM_USERTYPE_NORMAL, true);
585 constexpr char pkgPrefix[] = "sm_test_sp_170_pkg";
587 AppInstallHelperExt app1("sm_test_sp_170_app1", pkgPrefix, testUser.getUid());
588 app1.addPrivileges({PRIV_INTERNET});
591 AppInstallHelperExt app2("sm_test_sp_170_app2", pkgPrefix, testUser.getUid());
594 ScopedInstaller appInstall1(app1);
595 ScopedInstaller appInstall2(app2);
597 app1.checkAfterInstall();
598 app2.checkAfterInstall();
600 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
601 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
605 ScopedAppLauncher appLaunch1(app1);
606 ScopedAppLauncher appLaunch2(app2);
608 // only one have access in a hybrid package
609 app1.checkSmackPrivileges({PRIV_INTERNET}, {});
610 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
612 // change policy of single app
613 changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
615 // both should have no access
616 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
617 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
619 changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
621 app1.checkSmackPrivileges({PRIV_INTERNET}, {});
622 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
625 app1.checkAfterUninstall();
626 app2.checkAfterUninstall();
627 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
628 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
631 RUNNER_CHILD_TEST(smack_privileges_180_hybrid_package_both_apps_privileged)
633 TemporaryTestUser testUser("sm_test_180_user_name", GUM_USERTYPE_NORMAL, true);
636 constexpr char pkgPrefix[] = "sm_test_sp_180_pkg";
638 AppInstallHelperExt app1("sm_test_sp_180_app1", pkgPrefix, testUser.getUid());
639 app1.addPrivileges({PRIV_INTERNET});
642 AppInstallHelperExt app2("sm_test_sp_180_app2", pkgPrefix, testUser.getUid());
643 app2.addPrivileges({PRIV_INTERNET});
646 ScopedInstaller appInstall1(app1);
647 ScopedInstaller appInstall2(app2);
649 app1.checkAfterInstall();
650 app2.checkAfterInstall();
652 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
653 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
657 ScopedAppLauncher appLaunch1(app1);
658 ScopedAppLauncher appLaunch2(app2);
660 // only one have access in a hybrid package
661 app1.checkSmackPrivileges({PRIV_INTERNET}, {});
662 app2.checkSmackPrivileges({PRIV_INTERNET}, {});
664 // change policy of single app
665 changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_DENY);
667 // both should have no access
668 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
669 app2.checkSmackPrivileges({PRIV_INTERNET}, {});
671 changePolicy(app1, PRIV_INTERNET, PolicyEntry::LEVEL_ALLOW);
673 app1.checkSmackPrivileges({PRIV_INTERNET}, {});
674 app2.checkSmackPrivileges({PRIV_INTERNET}, {});
677 app1.checkAfterUninstall();
678 app2.checkAfterUninstall();
679 app1.checkSmackPrivileges({}, {PRIV_INTERNET});
680 app2.checkSmackPrivileges({}, {PRIV_INTERNET});
683 // TODO custom smack privileges