1 #include <dpl/log/log.h>
2 #include <dpl/test/test_runner.h>
7 #include <unordered_set>
8 #include <sys/capability.h>
11 #include <sys/socket.h>
13 #include <attr/xattr.h>
14 #include <linux/xattr.h>
17 #include <sys/types.h>
23 #include <libprivilege-control_test_common.h>
24 #include <tests_common.h>
26 #include <tzplatform_config.h>
27 #include <security-manager.h>
30 #include <sm_request.h>
31 #include <sm_user_request.h>
32 #include <temp_test_user.h>
33 #include <cynara_test_client.h>
34 #include <service_manager.h>
36 using namespace SecurityManagerTest;
38 DEFINE_SMARTPTR(cap_free, _cap_struct, CapsSetsUniquePtr);
39 DEFINE_SMARTPTR(tzplatform_context_destroy, tzplatform_context, TzPlatformContextPtr);
41 static const privileges_t SM_ALLOWED_PRIVILEGES = {
42 "http://tizen.org/privilege/location",
43 "http://tizen.org/privilege/camera"
46 static const privileges_t SM_DENIED_PRIVILEGES = {
47 "http://tizen.org/privilege/bluetooth",
48 "http://tizen.org/privilege/power"
51 static const privileges_t SM_NO_PRIVILEGES = {
54 static const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
56 static const char *const SM_PRIVATE_PATH = "/usr/apps/test_DIR/app_dir";
57 static const char *const SM_PUBLIC_RO_PATH = "/usr/apps/test_DIR/app_dir_public_ro";
58 static const char *const SM_DENIED_PATH = "/usr/apps/test_DIR/non_app_dir";
59 static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
60 static const std::string EXEC_FILE("exec");
61 static const std::string NORMAL_FILE("normal");
62 static const std::string LINK_PREFIX("link_to_");
64 static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
65 static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
66 static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings";
67 static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin";
69 static const std::vector<std::string> MANY_APPS = {
70 "security_manager_10_app_1",
71 "security_manager_10_app_2",
72 "security_manager_10_app_3",
73 "security_manager_10_app_4",
74 "security_manager_10_app_5"
77 static const std::map<std::string, std::string> MANY_APPS_PKGS = {
78 {"security_manager_10_app_1", "security_manager_10_pkg_1"},
79 {"security_manager_10_app_2", "security_manager_10_pkg_2"},
80 {"security_manager_10_app_3", "security_manager_10_pkg_3"},
81 {"security_manager_10_app_4", "security_manager_10_pkg_4"},
82 {"security_manager_10_app_5", "security_manager_10_pkg_5"},
83 {PRIVILEGE_MANAGER_APP, PRIVILEGE_MANAGER_PKG}
86 static const std::vector<privileges_t> MANY_APPS_PRIVILEGES = {
88 "http://tizen.org/privilege/internet",
89 "http://tizen.org/privilege/location"
92 "http://tizen.org/privilege/telephony",
93 "http://tizen.org/privilege/camera"
96 "http://tizen.org/privilege/contact.read",
97 "http://tizen.org/privilege/led",
98 "http://tizen.org/privilege/email"
101 "http://tizen.org/privilege/led",
102 "http://tizen.org/privilege/email",
103 "http://tizen.org/privilege/telephony",
104 "http://tizen.org/privilege/camera"
107 "http://tizen.org/privilege/internet",
108 "http://tizen.org/privilege/location",
109 "http://tizen.org/privilege/led",
110 "http://tizen.org/privilege/email"
114 static void generateAppLabel(const std::string &pkgId, std::string &label)
120 static int nftw_check_sm_labels_app_dir(const char *fpath, const struct stat *sb,
121 const char* correctLabel, bool transmute_test, bool exec_test)
125 char* label = nullptr;
128 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
129 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
130 labelPtr.reset(label);
131 RUNNER_ASSERT_MSG(label != nullptr, "ACCESS label on " << fpath << " is not set");
132 result = strcmp(correctLabel, label);
133 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect"
134 " (should be '" << correctLabel << "' and is '" << label << "')");
138 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
139 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
140 labelPtr.reset(label);
142 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR) && exec_test) {
143 RUNNER_ASSERT_MSG(label != nullptr, "EXEC label on " << fpath << " is not set");
144 result = strcmp(correctLabel, label);
145 RUNNER_ASSERT_MSG(result == 0, "Incorrect EXEC label on executable file " << fpath);
147 RUNNER_ASSERT_MSG(label == nullptr, "EXEC label on " << fpath << " is set");
151 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
152 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
153 labelPtr.reset(label);
155 if (S_ISDIR(sb->st_mode) && transmute_test == true) {
156 RUNNER_ASSERT_MSG(label != nullptr, "TRANSMUTE label on " << fpath << " is not set at all");
157 RUNNER_ASSERT_MSG(strcmp(label,"TRUE") == 0,
158 "TRANSMUTE label on " << fpath << " is not set properly: '"<<label<<"'");
160 RUNNER_ASSERT_MSG(label == nullptr, "TRANSMUTE label on " << fpath << " is set");
167 static int nftw_check_sm_labels_app_private_dir(const char *fpath, const struct stat *sb,
168 int /*typeflag*/, struct FTW* /*ftwbuf*/)
170 return nftw_check_sm_labels_app_dir(fpath, sb, USER_APP_ID, false, true);
173 static int nftw_check_sm_labels_app_floor_dir(const char *fpath, const struct stat *sb,
174 int /*typeflag*/, struct FTW* /*ftwbuf*/)
177 return nftw_check_sm_labels_app_dir(fpath, sb, "_", false, false);
180 static void prepare_app_path()
184 result = nftw(SM_PRIVATE_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
185 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PRIVATE_PATH);
187 result = nftw(SM_PUBLIC_RO_PATH, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
188 RUNNER_ASSERT_MSG(result == 0, "Unable to clean Smack labels in " << SM_PUBLIC_RO_PATH);
190 result = nftw(SM_DENIED_PATH, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
191 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_DENIED_PATH);
194 static void prepare_app_env()
199 /* TODO: add parameters to this function */
200 static void check_app_path_after_install()
204 result = nftw(SM_PRIVATE_PATH, &nftw_check_sm_labels_app_private_dir, FTW_MAX_FDS, FTW_PHYS);
205 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PRIVATE_PATH);
207 result = nftw(SM_PUBLIC_RO_PATH, &nftw_check_sm_labels_app_floor_dir, FTW_MAX_FDS, FTW_PHYS);
208 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_PUBLIC_RO_PATH);
210 result = nftw(SM_DENIED_PATH, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
211 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_DENIED_PATH);
215 static void check_app_permissions(const char *const app_id, const char *const pkg_id, const char *const user,
216 const privileges_t &allowed_privs, const privileges_t &denied_privs)
219 std::string smackLabel;
220 generateAppLabel(pkg_id, smackLabel);
222 CynaraTestClient::Client ctc;
224 for (auto &priv : allowed_privs) {
225 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED);
228 for (auto &priv : denied_privs) {
229 ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED);
233 static void check_app_gids(const char *const app_id, const std::vector<gid_t> &allowed_gids)
236 gid_t main_gid = getgid();
237 std::unordered_set<gid_t> reference_gids(allowed_gids.begin(), allowed_gids.end());
239 // Reset supplementary groups
240 ret = setgroups(0, NULL);
241 RUNNER_ASSERT_MSG(ret != -1, "Unable to set supplementary groups");
243 Api::setProcessGroups(app_id);
245 ret = getgroups(0, nullptr);
246 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
248 std::vector<gid_t> actual_gids(ret);
249 ret = getgroups(ret, actual_gids.data());
250 RUNNER_ASSERT_MSG(ret != -1, "Unable to get supplementary groups");
252 for (const auto &gid : actual_gids) {
253 RUNNER_ASSERT_MSG(gid == main_gid || reference_gids.count(gid) > 0,
254 "Application shouldn't get access to group " << gid);
255 reference_gids.erase(gid);
258 RUNNER_ASSERT_MSG(reference_gids.empty(), "Application didn't get access to some groups");
261 static void check_app_after_install(const char *const app_id, const char *const pkg_id,
262 const privileges_t &allowed_privs,
263 const privileges_t &denied_privs,
264 const std::vector<std::string> &allowed_groups)
266 TestSecurityManagerDatabase dbtest;
267 dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
268 dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
270 /*Privileges should be granted to all users if root installs app*/
271 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
273 /* Setup mapping of gids to privileges */
274 /* Do this for each privilege for extra check */
275 for (const auto &privilege : allowed_privs) {
276 dbtest.setup_privilege_groups(privilege, allowed_groups);
279 std::vector<gid_t> allowed_gids;
281 for (const auto &groupName : allowed_groups) {
283 struct group* grp = getgrnam(groupName.c_str());
284 RUNNER_ASSERT_ERRNO_MSG(grp, "Group: " << groupName << " not found");
285 allowed_gids.push_back(grp->gr_gid);
288 check_app_gids(app_id, allowed_gids);
291 static void check_app_after_install(const char *const app_id, const char *const pkg_id)
293 TestSecurityManagerDatabase dbtest;
294 dbtest.test_db_after__app_install(app_id, pkg_id);
297 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
298 const privileges_t &privileges, const bool is_pkg_removed)
300 TestSecurityManagerDatabase dbtest;
301 dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
304 /*Privileges should not be granted anymore to any user*/
305 check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, SM_NO_PRIVILEGES, privileges);
308 static void check_app_after_uninstall(const char *const app_id, const char *const pkg_id,
309 const bool is_pkg_removed)
311 TestSecurityManagerDatabase dbtest;
312 dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
315 static void install_app(const char *app_id, const char *pkg_id, uid_t uid = 0)
317 InstallRequest request;
318 request.setAppId(app_id);
319 request.setPkgId(pkg_id);
321 Api::install(request);
323 check_app_after_install(app_id, pkg_id);
327 static void uninstall_app(const char *app_id, const char *pkg_id, bool expect_pkg_removed)
329 InstallRequest request;
330 request.setAppId(app_id);
332 Api::uninstall(request);
334 check_app_after_uninstall(app_id, pkg_id, expect_pkg_removed);
337 static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
339 InstallRequest request;
340 request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
341 request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
343 request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
345 request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
346 Api::install(request);
347 Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
350 static inline struct passwd *getUserStruct(const std::string &userName) {
351 struct passwd *pw = nullptr;
354 while(!(pw = getpwnam(userName.c_str()))) {
355 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
361 static inline struct passwd *getUserStruct(const uid_t uid) {
362 struct passwd *pw = nullptr;
365 while(!(pw = getpwuid(uid))) {
366 RUNNER_ASSERT_ERRNO_MSG(errno == EINTR, "getpwnam() failed");
372 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
375 RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
377 const char *const sm_app_id = "sm_test_01a_app_id_double";
378 const char *const sm_pkg_id = "sm_test_01a_pkg_id_double";
380 InstallRequest requestInst;
381 requestInst.setAppId(sm_app_id);
382 requestInst.setPkgId(sm_pkg_id);
384 Api::install(requestInst);
385 Api::install(requestInst);
387 /* Check records in the security-manager database */
388 check_app_after_install(sm_app_id, sm_pkg_id);
390 InstallRequest requestUninst;
391 requestUninst.setAppId(sm_app_id);
393 Api::uninstall(requestUninst);
394 Api::uninstall(requestUninst);
396 /* Check records in the security-manager database */
397 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
401 RUNNER_TEST(security_manager_01b_app_double_install_wrong_pkg_id)
403 const char *const sm_app_id = "sm_test_01b_app";
404 const char *const sm_pkg_id = "sm_test_01b_pkg";
405 const char *const sm_pkg_id_wrong = "sm_test_01b_pkg_BAD";
407 InstallRequest requestInst;
408 requestInst.setAppId(sm_app_id);
409 requestInst.setPkgId(sm_pkg_id);
411 Api::install(requestInst);
413 InstallRequest requestInst2;
414 requestInst2.setAppId(sm_app_id);
415 requestInst2.setPkgId(sm_pkg_id_wrong);
417 Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
420 /* Check records in the security-manager database */
421 check_app_after_install(sm_app_id, sm_pkg_id);
423 InstallRequest requestUninst;
424 requestUninst.setAppId(sm_app_id);
426 Api::uninstall(requestUninst);
429 /* Check records in the security-manager database */
430 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
434 RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
436 const char * const sm_app_id = "SM_TEST_01c_APPID";
437 const char * const sm_pkg_id = "SM_TEST_01c_PKGID";
438 const char * const sm_pkg_id_wrong = "SM_TEST_01c_PKGID_wrong";
440 InstallRequest requestInst;
441 requestInst.setAppId(sm_app_id);
442 requestInst.setPkgId(sm_pkg_id);
444 Api::install(requestInst);
446 /* Check records in the security-manager database */
447 check_app_after_install(sm_app_id, sm_pkg_id);
449 InstallRequest requestUninst;
450 requestUninst.setAppId(sm_app_id);
451 requestUninst.setPkgId(sm_pkg_id_wrong);
453 Api::uninstall(requestUninst);
455 check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
459 RUNNER_TEST(security_manager_02_app_install_uninstall_full)
461 const char *const sm_app_id = "sm_test_02_app_id_full";
462 const char *const sm_pkg_id = "sm_test_02_pkg_id_full";
466 InstallRequest requestInst;
467 requestInst.setAppId(sm_app_id);
468 requestInst.setPkgId(sm_pkg_id);
469 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[0].c_str());
470 requestInst.addPrivilege(SM_ALLOWED_PRIVILEGES[1].c_str());
471 requestInst.addPath(SM_PRIVATE_PATH, SECURITY_MANAGER_PATH_PRIVATE);
472 requestInst.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
474 Api::install(requestInst);
476 /* Check records in the security-manager database */
477 check_app_after_install(sm_app_id, sm_pkg_id,
478 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES, SM_ALLOWED_GROUPS);
480 /* TODO: add parameters to this function */
481 check_app_path_after_install();
483 InstallRequest requestUninst;
484 requestUninst.setAppId(sm_app_id);
486 Api::uninstall(requestUninst);
488 /* Check records in the security-manager database,
489 * all previously allowed privileges should be removed */
490 check_app_after_uninstall(sm_app_id, sm_pkg_id,
491 SM_ALLOWED_PRIVILEGES, TestSecurityManagerDatabase::REMOVED);
494 RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
496 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_smack";
497 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
498 const char *const expected_label = USER_APP_ID;
499 const char *const socketLabel = "not_expected_label";
500 char *label = nullptr;
504 uninstall_app(app_id, pkg_id, true);
505 install_app(app_id, pkg_id);
507 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
508 //Clean up before creating socket
510 int sock = socket(AF_UNIX, SOCK_STREAM, 0);
511 RUNNER_ASSERT_ERRNO_MSG(sock >= 0, "socket failed");
512 SockUniquePtr sockPtr(&sock);
513 //Bind socket to address
514 result = bind(sock, (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
515 RUNNER_ASSERT_ERRNO_MSG(result == 0, "bind failed");
516 //Set socket label to something different than expecedLabel
517 result = fsetxattr(sock, XATTR_NAME_SMACKIPIN, socketLabel,
518 strlen(socketLabel), 0);
519 RUNNER_ASSERT_ERRNO_MSG(result == 0,
520 "Can't set socket label. Result: " << result);
521 result = fsetxattr(sock, XATTR_NAME_SMACKIPOUT, socketLabel,
522 strlen(socketLabel), 0);
523 RUNNER_ASSERT_ERRNO_MSG(result == 0,
524 "Can't set socket label. Result: " << result);
526 Api::setProcessLabel(app_id);
528 char value[SMACK_LABEL_LEN + 1];
530 size = fgetxattr(sock, XATTR_NAME_SMACKIPIN, value, sizeof(value));
531 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
532 result = strcmp(expected_label, value);
533 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
534 expected_label << " Actual: " << value);
536 size = fgetxattr(sock, XATTR_NAME_SMACKIPOUT, value, sizeof(value));
537 RUNNER_ASSERT_ERRNO_MSG(size != -1, "fgetxattr failed: " << value);
538 result = strcmp(expected_label, value);
539 RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
540 expected_label << " Actual: " << value);
542 result = smack_new_label_from_self(&label);
543 RUNNER_ASSERT_MSG(result >= 0,
544 " Error getting current process label");
545 RUNNER_ASSERT_MSG(label != nullptr,
546 " Process label is not set");
547 labelPtr.reset(label);
549 result = strcmp(expected_label, label);
550 RUNNER_ASSERT_MSG(result == 0,
551 " Process label is incorrect. Expected: \"" << expected_label <<
552 "\" Actual: \"" << label << "\"");
554 uninstall_app(app_id, pkg_id, true);
557 RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
559 const char *const app_id = "sm_test_03_app_id_set_label_from_appid_nosmack";
560 const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_nosmack";
562 uninstall_app(app_id, pkg_id, true);
563 install_app(app_id, pkg_id);
565 Api::setProcessLabel(app_id);
567 uninstall_app(app_id, pkg_id, true);
570 static void prepare_request(InstallRequest &request,
571 const char *const app_id,
572 const char *const pkg_id,
573 app_install_path_type pathType,
574 const char *const path,
577 request.setAppId(app_id);
578 request.setPkgId(pkg_id);
579 request.addPath(path, pathType);
585 static uid_t getGlobalUserId(void)
587 return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
590 static const std::string appDirPath(const TemporaryTestUser &user)
592 struct tzplatform_context *tzCtxPtr = nullptr;
594 RUNNER_ASSERT(0 == tzplatform_context_create(&tzCtxPtr));
595 TzPlatformContextPtr tzCtxPtrSmart(tzCtxPtr);
597 RUNNER_ASSERT_MSG(0 == tzplatform_context_set_user(tzCtxPtr, user.getUid()),
598 "Unable to set user <" << user.getUserName() << "> for tzplatform context");
600 const char *appDir = tzplatform_context_getenv(tzCtxPtr,
601 getGlobalUserId() == user.getUid() ? TZ_SYS_RW_APP : TZ_USER_APP);
602 RUNNER_ASSERT_MSG(nullptr != appDir,
603 "tzplatform_context_getenv failed"
604 << "for getting sys rw app of user <" << user.getUserName() << ">");
609 static const std::string nonAppDirPath(const TemporaryTestUser &user)
611 return TMP_DIR + "/" + user.getUserName();
614 static const std::string uidToStr(const uid_t uid)
616 return std::to_string(static_cast<unsigned int>(uid));
619 static void install_and_check(const char *const sm_app_id,
620 const char *const sm_pkg_id,
621 const TemporaryTestUser& user,
622 const std::string &appDir,
625 InstallRequest requestPublic;
627 //install app for non-root user and try to register public path (should fail)
628 prepare_request(requestPublic, sm_app_id, sm_pkg_id,
629 SECURITY_MANAGER_PATH_PUBLIC, appDir.c_str(),
630 requestUid ? user.getUid() : 0);
632 Api::install(requestPublic, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
634 InstallRequest requestPrivate;
636 //install app for non-root user
637 //should fail (users may only register folders inside their home)
638 prepare_request(requestPrivate, sm_app_id, sm_pkg_id,
639 SECURITY_MANAGER_PATH_PRIVATE, SM_PRIVATE_PATH,
640 requestUid ? user.getUid() : 0);
642 Api::install(requestPrivate, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
644 InstallRequest requestPrivateUser;
646 //install app for non-root user
647 //should succeed - this time i register folder inside user's home dir
648 prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
649 SECURITY_MANAGER_PATH_PRIVATE, appDir.c_str(),
650 requestUid ? user.getUid() : 0);
652 for (auto &privilege : SM_ALLOWED_PRIVILEGES)
653 requestPrivateUser.addPrivilege(privilege.c_str());
655 Api::install(requestPrivateUser);
657 check_app_permissions(sm_app_id, sm_pkg_id,
658 uidToStr(user.getUid()).c_str(),
659 SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
662 static void createTestDir(const std::string &dir)
664 mode_t dirMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
665 mode_t execFileMode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
666 mode_t normalFileMode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH;
668 mkdirSafe(dir, dirMode);
669 creatSafe(dir + "/" + EXEC_FILE, execFileMode);
670 creatSafe(dir + "/" + NORMAL_FILE, normalFileMode);
671 symlinkSafe(dir + "/" + EXEC_FILE, dir + "/" + LINK_PREFIX + EXEC_FILE);
672 symlinkSafe(dir + "/" + NORMAL_FILE, dir + "/" + LINK_PREFIX + NORMAL_FILE);
675 static void createInnerAppDir(const std::string &dir, const std::string &nonAppDir)
679 symlinkSafe(nonAppDir, dir + "/" + LINK_PREFIX + "non_app_dir");
680 symlinkSafe(nonAppDir + "/" + EXEC_FILE,
681 dir + "/" + LINK_PREFIX + "non_app_" + EXEC_FILE);
682 symlinkSafe(nonAppDir + "/" + NORMAL_FILE,
683 dir + "/" + LINK_PREFIX + "non_app_" + NORMAL_FILE);
686 static void generateAppDir(const TemporaryTestUser &user)
688 const std::string dir = appDirPath(user);
689 const std::string nonAppDir = nonAppDirPath(user);
691 createInnerAppDir(dir, nonAppDir);
692 createInnerAppDir(dir + "/.inner_dir", nonAppDir);
693 createInnerAppDir(dir + "/inner_dir", nonAppDir);
696 static void generateNonAppDir(const TemporaryTestUser &user)
698 const std::string dir = nonAppDirPath(user);
701 createTestDir(dir + "/.inner_dir");
702 createTestDir(dir + "/inner_dir");
705 static void createTestDirs(const TemporaryTestUser &user)
707 generateAppDir(user);
708 generateNonAppDir(user);
711 static void removeTestDirs(const TemporaryTestUser &user)
713 removeDir(appDirPath(user));
714 removeDir(nonAppDirPath(user));
717 RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
720 const char *const sm_app_id = "sm_test_04a_app_id_uid";
721 const char *const sm_pkg_id = "sm_test_04a_pkg_id_uid";
722 const std::string new_user_name = "sm_test_04a_user_name";
724 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
727 removeTestDirs(testUser);
728 createTestDirs(testUser);
730 const std::string userAppDirPath = appDirPath(testUser);
732 //switch user to non-root
733 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
734 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
736 install_and_check(sm_app_id, sm_pkg_id, testUser, userAppDirPath, false);
738 //uninstall app as non-root user
739 InstallRequest request;
740 request.setAppId(sm_app_id);
742 Api::uninstall(request);
744 check_app_permissions(sm_app_id, sm_pkg_id,
745 uidToStr(testUser.getUid()).c_str(),
746 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
749 RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user)
752 const char *const sm_app_id = "sm_test_04b_app_id_uid";
753 const char *const sm_pkg_id = "sm_test_04b_pkg_id_uid";
754 const std::string new_user_name = "sm_test_04b_user_name";
756 TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
759 removeTestDirs(testUser);
760 createTestDirs(testUser);
762 install_and_check(sm_app_id, sm_pkg_id, testUser, appDirPath(testUser), true);
764 //switch user to non-root - root may not uninstall apps for specified users
765 result = drop_root_privileges(testUser.getUid(), testUser.getGid());
766 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
768 //uninstall app as non-root user
769 InstallRequest request;
770 request.setAppId(sm_app_id);
772 Api::uninstall(request);
774 check_app_permissions(sm_app_id, sm_pkg_id,
775 uidToStr(testUser.getUid()).c_str(),
776 SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
780 RUNNER_CHILD_TEST(security_manager_05_drop_process_capabilities)
783 CapsSetsUniquePtr caps, caps_empty(cap_init());
785 caps.reset(cap_from_text("all=eip"));
786 RUNNER_ASSERT_MSG(caps, "can't convert capabilities from text");
787 result = cap_set_proc(caps.get());
788 RUNNER_ASSERT_MSG(result == 0,
789 "can't set capabilities. Result: " << result);
791 Api::dropProcessPrivileges();
793 caps.reset(cap_get_proc());
794 RUNNER_ASSERT_MSG(caps, "can't get proc capabilities");
796 result = cap_compare(caps.get(), caps_empty.get());
797 RUNNER_ASSERT_MSG(result == 0,
798 "capabilities not dropped. Current: " << cap_to_text(caps.get(), NULL));
801 RUNNER_CHILD_TEST(security_manager_06_install_app_offline)
803 const char *const app_id = "sm_test_06_app_id_install_app_offline";
804 const char *const pkg_id = "sm_test_06_pkg_id_install_app_offline";
805 ServiceManager serviceManager("security-manager.service");
807 uninstall_app(app_id, pkg_id, true);
808 serviceManager.maskService();
809 serviceManager.stopService();
811 install_app(app_id, pkg_id);
813 serviceManager.unmaskService();
814 serviceManager.startService();
816 uninstall_app(app_id, pkg_id, true);
819 RUNNER_CHILD_TEST(security_manager_07_user_add_app_install)
821 const char *const sm_app_id = "sm_test_07_app_id_user";
822 const char *const sm_pkg_id = "sm_test_07_pkg_id_user";
823 const std::string new_user_name = "sm_test_07_user_name";
824 std::string uid_string;
825 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
827 uid_string = std::to_string(static_cast<unsigned int>(test_user.getUid()));
829 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
831 check_app_after_install(sm_app_id, sm_pkg_id);
835 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
837 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
840 RUNNER_CHILD_TEST(security_manager_08_user_double_add_double_remove)
842 UserRequest addUserRequest;
844 const char *const sm_app_id = "sm_test_08_app_id_user";
845 const char *const sm_pkg_id = "sm_test_08_pkg_id_user";
846 const char *const new_user_name = "sm_test_08_user_name";
847 std::string uid_string;
850 TemporaryTestUser test_user(new_user_name, GUM_USERTYPE_NORMAL, false);
852 uid_string = std::to_string(static_cast<unsigned int>(test_user.getUid()));
854 addUserRequest.setUid(test_user.getUid());
855 addUserRequest.setUserType(SM_USER_TYPE_NORMAL);
858 Api::addUser(addUserRequest);
860 install_app(sm_app_id, sm_pkg_id, test_user.getUid());
862 check_app_after_install(sm_app_id, sm_pkg_id);
866 UserRequest deleteUserRequest;
867 deleteUserRequest.setUid(test_user.getUid());
869 Api::deleteUser(deleteUserRequest);
871 check_app_permissions(sm_app_id, sm_pkg_id, uid_string.c_str(), SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
873 check_app_after_uninstall(sm_app_id, sm_pkg_id, true);
876 RUNNER_CHILD_TEST(security_manager_09_add_user_offline)
878 const char *const app_id = "security_manager_09_add_user_offline_app";
879 const char *const pkg_id = "security_manager_09_add_user_offline_pkg";
880 const std::string username("sm_test_09_user_name");
881 ServiceManager serviceManager("security-manager.service");
882 serviceManager.maskService();
883 serviceManager.stopService();
885 TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
888 install_app(app_id, pkg_id, user.getUid());
890 check_app_after_install(app_id, pkg_id);
892 serviceManager.unmaskService();
893 serviceManager.startService();
897 check_app_after_uninstall(app_id, pkg_id, true);
900 RUNNER_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
903 const std::string username("sm_test_10_user_name");
904 unsigned int privileges_count = 0;
906 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
907 std::map<std::string, std::set<std::string>> apps2PrivsMap;
909 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
910 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
911 MANY_APPS.at(i), std::set<std::string>(
912 MANY_APPS_PRIVILEGES.at(i).begin(),
913 MANY_APPS_PRIVILEGES.at(i).end())));
914 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
917 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
918 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
920 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
925 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
927 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
930 if (pid != 0) { //parent process
931 TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
934 for(const auto &user : users2AppsMap) {
936 for(const auto &app : user.second) {
937 InstallRequest requestInst;
938 requestInst.setAppId(app.first.c_str());
940 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
941 } catch (const std::out_of_range &e) {
942 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
944 requestInst.setUid(tmpUser.getUid());
946 for (const auto &privilege : app.second) {
947 requestInst.addPrivilege(privilege.c_str());
950 Api::install(requestInst);
953 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
955 //Start child process
957 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
965 if (pid == 0) { //child process
967 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
968 //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
970 struct passwd *pw = getUserStruct(username);
971 register_current_process_as_privilege_manager(pw->pw_uid);
972 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
973 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
975 std::vector<PolicyEntry> policyEntries;
977 Api::getPolicy(filter, policyEntries);
979 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
980 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
982 for (const auto &policyEntry : policyEntries) {
983 std::string user = policyEntry.getUser();
984 std::string app = policyEntry.getAppId();
985 std::string privilege = policyEntry.getPrivilege();
988 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
989 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
990 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
991 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
992 } catch (const std::out_of_range &e) {
993 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
994 } catch (const std::invalid_argument& e) {
995 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1002 RUNNER_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
1005 const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
1006 unsigned int privileges_count = 0;
1008 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1009 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1011 for (const auto &username : usernames) {
1012 //Only entries for one of the users will be listed
1013 privileges_count = 0;
1015 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1016 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1017 MANY_APPS.at(i), std::set<std::string>(
1018 MANY_APPS_PRIVILEGES.at(i).begin(),
1019 MANY_APPS_PRIVILEGES.at(i).end())));
1020 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1023 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1026 users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
1027 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1034 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1036 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1039 if (pid != 0) { //parent process
1040 std::vector<TemporaryTestUser> users = {
1041 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1042 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1045 users.at(0).create();
1046 users.at(1).create();
1048 //Install apps for both users
1049 for(const auto &user : users) {
1050 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1051 InstallRequest requestInst;
1052 requestInst.setAppId(app.first.c_str());
1054 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1055 } catch (const std::out_of_range &e) {
1056 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1058 requestInst.setUid(user.getUid());
1060 for (const auto &privilege : app.second) {
1061 requestInst.addPrivilege(privilege.c_str());
1064 Api::install(requestInst);
1067 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1071 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1076 for(auto &user : users) {
1083 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
1084 struct passwd *pw = getUserStruct(usernames.at(0));
1085 register_current_process_as_privilege_manager(pw->pw_uid);
1087 //change uid to normal user
1089 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1090 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1092 std::vector<PolicyEntry> policyEntries;
1095 //this call should only return privileges belonging to the current uid
1096 Api::getPolicy(filter, policyEntries);
1098 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1099 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1101 for (const auto &policyEntry : policyEntries) {
1102 std::string user = policyEntry.getUser();
1103 std::string app = policyEntry.getAppId();
1104 std::string privilege = policyEntry.getPrivilege();
1107 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1108 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1109 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1110 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1111 } catch (const std::out_of_range &e) {
1112 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1113 } catch (const std::invalid_argument& e) {
1114 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1121 RUNNER_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
1124 const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
1125 unsigned int privileges_count = 0;
1127 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1128 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1130 for (const auto &username : usernames) {
1132 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1133 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1134 MANY_APPS.at(i), std::set<std::string>(
1135 MANY_APPS_PRIVILEGES.at(i).begin(),
1136 MANY_APPS_PRIVILEGES.at(i).end())));
1137 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1140 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1143 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1144 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
1146 privileges_count += 2;
1151 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1153 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1156 if (pid != 0) { //parent process
1157 std::vector<TemporaryTestUser> users = {
1158 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1159 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1162 users.at(0).create();
1163 users.at(1).create();
1164 //Install apps for both users
1165 for(const auto &user : users) {
1166 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1167 InstallRequest requestInst;
1168 requestInst.setAppId(app.first.c_str());
1170 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1171 } catch (const std::out_of_range &e) {
1172 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1174 requestInst.setUid(user.getUid());
1176 for (const auto &privilege : app.second) {
1177 requestInst.addPrivilege(privilege.c_str());
1180 Api::install(requestInst);
1183 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1188 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1190 //Wait for child to finish
1194 for(auto &user : users) {
1199 if (pid == 0) { //child process
1201 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
1203 struct passwd *pw = getUserStruct(usernames.at(1));
1204 register_current_process_as_privilege_manager(pw->pw_uid, true);
1206 //change uid to normal user
1207 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1208 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1210 std::vector<PolicyEntry> policyEntries;
1212 //this call should succeed as the calling user is privileged
1213 Api::getPolicy(filter, policyEntries);
1215 RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
1216 RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
1218 for (const auto &policyEntry : policyEntries) {
1219 std::string user = policyEntry.getUser();
1220 std::string app = policyEntry.getAppId();
1221 std::string privilege = policyEntry.getPrivilege();
1224 struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
1225 std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
1226 if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
1227 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
1228 } catch (const std::out_of_range &e) {
1229 RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
1230 } catch (const std::invalid_argument& e) {
1231 RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
1239 RUNNER_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
1242 const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
1244 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1245 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1247 for (const auto &username : usernames) {
1249 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1250 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1251 MANY_APPS.at(i), std::set<std::string>(
1252 MANY_APPS_PRIVILEGES.at(i).begin(),
1253 MANY_APPS_PRIVILEGES.at(i).end())));
1256 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1259 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1260 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1267 RUNNER_ASSERT_MSG(((mutex[0] = sem_open("mutex_1", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #1, errno: " << errno);
1269 RUNNER_ASSERT_MSG(((mutex[1] = sem_open("mutex_2", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #2, errno: " << errno);
1271 RUNNER_ASSERT_MSG(sem_init(mutex[0], 1, 0) == 0, "failed to setup mutex #1, errno: " << errno);
1273 RUNNER_ASSERT_MSG(sem_init(mutex[1], 1, 0) == 0, "failed to setup mutex #2, errno: " << errno);
1274 std::vector<PolicyEntry> policyEntries;
1278 if(pid[0] == 0) { //child #1 process
1279 RUNNER_ASSERT_MSG(sem_wait(mutex[0]) == 0, "sem_wait in child #1 failed, errno: " << errno);
1280 struct passwd *pw = getUserStruct(usernames.at(0));
1281 register_current_process_as_privilege_manager(pw->pw_uid);
1283 //change uid to normal user
1284 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1285 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1288 PolicyRequest policyRequest;
1289 //this call should succeed as the calling user is privileged
1290 Api::getPolicyForSelf(filter, policyEntries);
1292 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1294 PolicyEntry policyEntry(
1296 std::to_string(pw->pw_uid),
1297 "http://tizen.org/privilege/internet"
1299 policyEntry.setLevel("Deny");
1301 policyRequest.addEntry(policyEntry);
1302 policyEntry = PolicyEntry(
1304 std::to_string(pw->pw_uid),
1305 "http://tizen.org/privilege/location"
1307 policyEntry.setLevel("Deny");
1309 policyRequest.addEntry(policyEntry);
1310 Api::sendPolicy(policyRequest);
1311 Api::getPolicyForSelf(filter, policyEntries);
1313 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1317 if (pid[0] != 0) {//parent process
1320 if (pid[1] == 0) { //child #2 process
1322 RUNNER_ASSERT_MSG(sem_wait(mutex[1]) == 0, "sem_wait in child #2 failed, errno: " << errno);
1323 struct passwd *pw_target = getUserStruct(usernames.at(0));
1324 struct passwd *pw = getUserStruct(usernames.at(1));
1325 register_current_process_as_privilege_manager(pw->pw_uid);
1327 //change uid to normal user
1328 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1329 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1331 PolicyEntry filter = PolicyEntry(
1332 SECURITY_MANAGER_ANY,
1333 std::to_string(pw_target->pw_uid),
1334 SECURITY_MANAGER_ANY
1337 //U2 requests contents of U1 privacy manager - should fail
1338 Api::getPolicyForSelf(filter, policyEntries);
1339 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1341 filter = PolicyEntry(
1342 SECURITY_MANAGER_ANY,
1343 SECURITY_MANAGER_ANY,
1344 SECURITY_MANAGER_ANY
1347 policyEntries.clear();
1349 //U2 requests contents of ADMIN bucket - should fail
1350 Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
1351 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1355 if (pid[1] != 0) { //parent
1357 std::vector<TemporaryTestUser> users = {
1358 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1359 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1362 users.at(0).create();
1363 users.at(1).create();
1365 //Install apps for both users
1366 for(const auto &user : users2AppsMap) {
1368 for(const auto &app : user.second) {
1369 InstallRequest requestInst;
1370 requestInst.setAppId(app.first.c_str());
1372 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1373 } catch (const std::out_of_range &e) {
1374 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1376 requestInst.setUid(users.at(0).getUid());
1378 for (const auto &privilege : app.second) {
1379 requestInst.addPrivilege(privilege.c_str());
1382 Api::install(requestInst);
1385 //check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
1391 RUNNER_ASSERT_MSG(sem_post(mutex[0]) == 0, "Error while opening mutex #1, errno: " << errno);
1393 //Wait until child #1 finishes
1394 pid_t ret = wait(&status);
1395 RUNNER_ASSERT_MSG((ret != -1) && WIFEXITED(status), "Updating privileges failed");
1399 RUNNER_ASSERT_MSG(sem_post(mutex[1]) == 0, "Error while opening mutex #2, errno: " << errno);
1400 //Wait until child #2 finishes
1401 ret = wait(&status);
1402 RUNNER_ASSERT_MSG((ret =-1) && WIFEXITED(status), "Listing privileges failed");
1404 for(auto &user : users) {
1408 sem_close(mutex[0]);
1409 sem_close(mutex[1]);
1414 RUNNER_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
1417 const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
1418 unsigned int privileges_count = 0;
1420 std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
1421 std::map<std::string, std::set<std::string>> apps2PrivsMap;
1423 for (const auto &username : usernames) {
1425 for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
1426 apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
1427 MANY_APPS.at(i), std::set<std::string>(
1428 MANY_APPS_PRIVILEGES.at(i).begin(),
1429 MANY_APPS_PRIVILEGES.at(i).end())));
1430 privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
1433 users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
1436 users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
1437 PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
1439 privileges_count += 2;
1443 RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
1445 RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
1449 std::vector<TemporaryTestUser> users = {
1450 TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
1451 TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
1454 users.at(0).create();
1455 users.at(1).create();
1457 //Install apps for both users
1458 for(const auto &user : users) {
1460 for(const auto &app : users2AppsMap.at(user.getUserName())) {
1461 InstallRequest requestInst;
1462 requestInst.setAppId(app.first.c_str());
1464 requestInst.setPkgId(MANY_APPS_PKGS.at(app.first).c_str());
1465 } catch (const std::out_of_range &e) {
1466 RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
1468 requestInst.setUid(user.getUid());
1470 for (const auto &privilege : app.second) {
1471 requestInst.addPrivilege(privilege.c_str());
1474 Api::install(requestInst);
1477 //Start child process
1479 RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
1481 //Wait for child process to finish
1484 //switch back to root
1485 for(auto &user : users) {
1492 if (pid == 0) { //child process
1494 RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
1496 struct passwd *pw = getUserStruct(usernames.at(0));
1497 register_current_process_as_privilege_manager(pw->pw_uid, true);
1499 //change uid to normal user
1500 int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
1501 RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
1503 PolicyRequest *policyRequest = new PolicyRequest();
1505 std::vector<PolicyEntry> policyEntries;
1506 //this call should succeed as the calling user is privileged
1507 Api::getPolicyForSelf(filter, policyEntries);
1509 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
1511 PolicyEntry policyEntry(
1512 SECURITY_MANAGER_ANY,
1513 SECURITY_MANAGER_ANY,
1514 "http://tizen.org/privilege/internet"
1516 policyEntry.setMaxLevel("Deny");
1518 policyRequest->addEntry(policyEntry);
1519 policyEntry = PolicyEntry(
1520 SECURITY_MANAGER_ANY,
1521 SECURITY_MANAGER_ANY,
1522 "http://tizen.org/privilege/location"
1524 policyEntry.setMaxLevel("Deny");
1526 policyRequest->addEntry(policyEntry);
1527 Api::sendPolicy(*policyRequest);
1528 Api::getPolicyForAdmin(filter, policyEntries);
1530 RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
1532 delete policyRequest;
1533 policyRequest = new PolicyRequest();
1534 policyEntry = PolicyEntry(
1535 SECURITY_MANAGER_ANY,
1536 SECURITY_MANAGER_ANY,
1537 "http://tizen.org/privilege/internet"
1539 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
1540 policyRequest->addEntry(policyEntry);
1542 policyEntry = PolicyEntry(
1543 SECURITY_MANAGER_ANY,
1544 SECURITY_MANAGER_ANY,
1545 "http://tizen.org/privilege/location"
1547 policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
1549 policyRequest->addEntry(policyEntry);
1550 Api::sendPolicy(*policyRequest);
1552 policyEntries.clear();
1553 Api::getPolicyForAdmin(filter, policyEntries);
1554 RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
1556 delete policyRequest;
1563 int main(int argc, char *argv[])
1565 return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);
projects / platform / core / test / security-tests.git / blob