* limitations under the License.
*/
+#include <algorithm>
#include <cstdlib>
#include <map>
-#include <set>
#include <string>
#include <sys/types.h>
#include <unistd.h>
#include <utility>
#include <vector>
+#include <privilege_info.h>
+
#include <app_install_helper.h>
#include <cynara_test_admin.h>
#include <dpl/test/test_runner.h>
-#include <memory.h>
-#include <passwd_access.h>
+#include <dpl/test/test_runner_child.h>
#include <policy_configuration.h>
-#include <privilege_info.h>
-#include <scoped_label.h>
#include <scoped_installer.h>
#include <sm_api.h>
#include <sm_commons.h>
#include <tests_common.h>
using namespace SecurityManagerTest;
-
-static const std::vector<std::string> PM_MANY_APPS = {
- "security_manager_pm_app_1",
- "security_manager_pm_app_2",
- "security_manager_pm_app_3",
- "security_manager_pm_app_4",
- "security_manager_pm_app_5"
+namespace {
+struct UserInfo {
+ std::string userName;
+ GumUserType userType;
};
-const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
-const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
-const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
-const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
-
-static const std::map<std::string, struct app_attributes> PM_MANY_APPS_PKGS = {
- {"security_manager_pm_app_1", {"security_manager_pm_pkg_1", "2.1"}},
- {"security_manager_pm_app_2", {"security_manager_pm_pkg_2", "3.0"}},
- {"security_manager_pm_app_3", {"security_manager_pm_pkg_3", "2.1.1"}},
- {"security_manager_pm_app_4", {"security_manager_pm_pkg_4", "3.1"}},
- {"security_manager_pm_app_5", {"security_manager_pm_pkg_5", "2.2"}},
- {PRIVILEGE_MANAGER_APP, {PRIVILEGE_MANAGER_PKG, "3.0"}}
-};
+// Privileges required for having permission to self/admin get/set policies.
+const std::string SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
+const std::string ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
-static const std::vector<privileges_t> PM_MANY_APPS_PRIVILEGES = {
+typedef std::vector<std::string> Privileges;
+const std::vector<Privileges> TEST_PRIVILEGES = {
{
"http://tizen.org/privilege/internet",
"http://tizen.org/privilege/display"
}
};
-RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
-
-static inline void register_current_process_as_privilege_manager(uid_t uid, bool forAdmin = false)
-{
- InstallRequest request;
- request.setAppId(PRIVILEGE_MANAGER_APP.c_str());
- request.setPkgId(PRIVILEGE_MANAGER_PKG.c_str());
- request.setUid(uid);
- request.addPrivilege(PRIVILEGE_MANAGER_SELF_PRIVILEGE.c_str());
- if (forAdmin)
- request.addPrivilege(PRIVILEGE_MANAGER_ADMIN_PRIVILEGE.c_str());
- Api::install(request);
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
+const std::vector<Privileges> TEST_PRIVACY_PRIVILEGES = {
+ {
+ "http://tizen.org/privilege/telephony",
+ "http://tizen.org/privilege/led",
+ "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
+ "http://tizen.org/privilege/account.read",
+ "http://tizen.org/privilege/healthinfo"
+ },
+ {
+ "http://tizen.org/privilege/telephony",
+ "http://tizen.org/privilege/led",
+ "http://tizen.org/privilege/callhistory.read" // privacy-related privileges start here
+ }
};
+bool isPrivilegePrivacy(const std::string &priv) {
+ return (1 == privilege_info_is_privacy(priv.c_str()));
+}
+
+int countPrivacyPrivileges(const Privileges &privs) {
+ return std::count_if(privs.begin(), privs.end(), isPrivilegePrivacy);
+}
+
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PRIVACY_MANAGER)
+
RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_self)
{
- //TEST DATA
- const std::string username("sm_test_10_user_name");
- unsigned int privileges_count = 0;
-
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
-
- for (unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- PM_MANY_APPS.at(i), std::set<std::string>(
- PM_MANY_APPS_PRIVILEGES.at(i).begin(),
- PM_MANY_APPS_PRIVILEGES.at(i).end())));
- privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size();
- };
+ TemporaryTestUser tmpUser("sm_test_10_user_name", GUM_USERTYPE_NORMAL, false);
+ tmpUser.create();
+
+ unsigned expectedPolicyCount = 0;
+ std::map<std::string, AppInstallHelper> appIdToAIH;
+ for (unsigned i = 0; i < TEST_PRIVILEGES.size(); i++) {
+ AppInstallHelper app("sm_test_10_" + std::to_string(i), tmpUser.getUid());
+ app.addPrivileges(TEST_PRIVILEGES[i]);
+ expectedPolicyCount += app.getPrivileges().size();
+ appIdToAIH.emplace(app.getAppId(), std::move(app));
+ }
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
- ++privileges_count;
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
- //TEST DATA END
+ AppInstallHelper privManager("sm_test_10_privilege_manager", tmpUser.getUid());
+ std::string privManagerAppId = privManager.getAppId();
+ privManager.addPrivilege(SELF_PRIVILEGE);
+ expectedPolicyCount += privManager.getPrivileges().size();
+ appIdToAIH.emplace(privManager.getAppId(), std::move(privManager));
- SynchronizationPipe pipe;
- pid_t pid = fork();
+ std::vector<ScopedInstaller> scopedInstallations;
+ for (const auto &appIdAIH : appIdToAIH) {
+ scopedInstallations.emplace_back(ScopedInstaller(appIdAIH.second));
+ }
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
if (pid != 0) { //parent process
- pipe.claimParentEp();
- TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
- tmpUser.create();
-
- for(const auto &user : users2AppsMap) {
- for(const auto &app : user.second) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(tmpUser.getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
-
- //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
- };
-
- //Start child process
- pipe.post();
waitPid(pid);
-
- tmpUser.remove();
} else { //child process
- pipe.claimChildEp();
- pipe.wait();
-
- uid_t uid; gid_t gid;
- PasswdAccess::allUser(username, uid, gid);
- std::string uidStr = std::to_string(uid);
- register_current_process_as_privilege_manager(uid);
- int result = drop_root_privileges(uid, gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ Api::setProcessLabel(privManagerAppId);
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
+ "drop_root_privileges failed");
std::vector<PolicyEntry> policyEntries;
- PolicyEntry filter;
- Api::getPolicy(filter, policyEntries);
+ Api::getPolicy(PolicyEntry(), policyEntries);
RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
+ "Number of policies doesn't match - should be: " << expectedPolicyCount
+ << " and is " << policyEntries.size());
for (const auto &policyEntry : policyEntries) {
std::string user = policyEntry.getUser();
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
- RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user);
+ RUNNER_ASSERT_MSG(user == tmpUser.getUidString(), "Unexpected user: " << user);
- try {
- std::set<std::string>::iterator tmp = users2AppsMap.at(username).at(app).find(privilege);
- if (tmp == users2AppsMap.at(username).at(app).end())
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
- };
- };
+ auto appIt = appIdToAIH.find(app);
+ RUNNER_ASSERT_MSG(appIt != appIdToAIH.end(), "Policy returned unexpected app: " << app);
+
+ AppInstallHelper &aih = appIt->second;
+ auto appPrivileges = aih.getPrivileges();
+ auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
+ RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
+ "Unexpected privilege " << privilege << " for app " << app);
+ }
exit(0);
- };
+ }
}
RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_admin_unprivileged)
{
- //TEST DATA
- const std::vector<std::string> usernames = {"sm_test_11_user_name_1", "sm_test_11_user_name_2"};
- unsigned int privileges_count = 0;
+ const std::string normalNameToSwitch = "sm_test_11_user_name_normal";
+ const std::vector<UserInfo> userInfos = {{normalNameToSwitch, GUM_USERTYPE_NORMAL},
+ {"sm_test_11_user_name_admin", GUM_USERTYPE_ADMIN}};
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
+ std::map<std::string, TemporaryTestUser> usernameToTTU;
+ // uid + app_id -> AppInstallHelper (different users can have same app_id installed)
+ std::map<std::pair<uid_t,std::string>, AppInstallHelper> userAppIdToAIH;
+ unsigned expectedPolicyCount = 0;
- for (const auto &username : usernames) {
- //Only entries for one of the users will be listed
- privileges_count = 0;
-
- for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- PM_MANY_APPS.at(i), std::set<std::string>(
- PM_MANY_APPS_PRIVILEGES.at(i).begin(),
- PM_MANY_APPS_PRIVILEGES.at(i).end())));
- privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
+ for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
+ TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
+ user.create();
+
+ for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
+ AppInstallHelper app("sm_test_11_" + std::to_string(p_i), user.getUid());
+ app.addPrivileges(TEST_PRIVILEGES[p_i]);
+ if (user.getUserName() == normalNameToSwitch) // Only entries for this user should be fetched
+ expectedPolicyCount += app.getPrivileges().size();
+ userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
};
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
+ usernameToTTU.emplace(userInfos[u_i].userName, std::move(user));
};
- users2AppsMap.at(usernames.at(0)).insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
+ TemporaryTestUser &normalUserToSwitch = usernameToTTU.at(normalNameToSwitch);
- ++privileges_count;
- //TEST DATA END
+ AppInstallHelper privManager("sm_test_11_priv_manager", normalUserToSwitch.getUid());
+ std::string privManagerAppId = privManager.getAppId();
+ privManager.addPrivilege(SELF_PRIVILEGE);
+ expectedPolicyCount += privManager.getPrivileges().size();
+ userAppIdToAIH.emplace(std::make_pair(normalUserToSwitch.getUid(), privManager.getAppId()),
+ std::move(privManager));
- SynchronizationPipe pipe;
- pid_t pid = fork();
+ std::vector<ScopedInstaller> scopedInstallations;
+ for (const auto &userAppIdAIH : userAppIdToAIH) {
+ scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
+ }
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
if (pid != 0) { //parent process
- pipe.claimParentEp();
- std::vector<TemporaryTestUser> users = {
- TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
- };
-
- users.at(0).create();
- users.at(1).create();
-
- //Install apps for both users
- for(const auto &user : users) {
- for(const auto &app : users2AppsMap.at(user.getUserName())) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(user.getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
-
- //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
- };
-
- //Start child
- pipe.post();
waitPid(pid);
-
- for (auto &user : users)
- user.remove();
-
} else { //child process
- pipe.claimChildEp();
- pipe.wait();
-
- uid_t uid; gid_t gid;
- PasswdAccess::allUser(usernames.at(0), uid, gid);
- std::string uidStr = std::to_string(uid);
- register_current_process_as_privilege_manager(uid);
-
- //change uid to normal user
- errno = 0;
- int result = drop_root_privileges(uid, gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ Api::setProcessLabel(privManagerAppId);
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUserToSwitch.getUid(),
+ normalUserToSwitch.getGid()) == 0,
+ "drop_root_privileges failed");
std::vector<PolicyEntry> policyEntries;
- PolicyEntry filter;
-
- //this call should only return privileges belonging to the current uid
- Api::getPolicy(filter, policyEntries);
+ Api::getPolicy(PolicyEntry(), policyEntries);
RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
+ "Number of policies doesn't match - should be: " << expectedPolicyCount
+ << " and is " << policyEntries.size());
for (const auto &policyEntry : policyEntries) {
+ // Expect policy only for current process user
std::string user = policyEntry.getUser();
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
- RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user);
+ RUNNER_ASSERT_MSG(normalUserToSwitch.getUidString() == user, "Unexpected user: " << user);
+ auto userAppIdToAIHIt = userAppIdToAIH.find(std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
+ RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
+ "Unknown app " << app << " for user " << user);
- try {
- std::set<std::string>::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege);
- if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end())
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what());
- };
- };
+ AppInstallHelper &aih = userAppIdToAIHIt->second;
+ auto privs = aih.getPrivileges();
+
+ auto appPrivileges = aih.getPrivileges();
+ auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
+ RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
+ "Unexpected privilege " << privilege << " for app " << app);
+ }
exit(0);
- };
+ }
}
RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
Api::getPolicy(PolicyEntry(), oldPolicyVec);
std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
- //TEST DATA
- const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
- unsigned int privileges_count = oldPolicyVec.size();
+ std::string adminNameToSwitch = "sm_test_12_user_name_admin";
+ const std::vector<UserInfo> userInfos = {{"sm_test_12_user_name_normal",GUM_USERTYPE_NORMAL},
+ {adminNameToSwitch, GUM_USERTYPE_ADMIN}};
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
+ std::map<std::string, TemporaryTestUser> usernameToTTU;
+ std::vector<std::string> uidStrings;
+ // uidstring + app_id -> AppInstallHelper
+ std::map<std::pair<uid_t, std::string>, AppInstallHelper> userAppIdToAIH;
+ unsigned expectedPolicyCount = oldPolicyVec.size();
- for (const auto &username : usernames) {
- for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- PM_MANY_APPS.at(i), std::set<std::string>(
- PM_MANY_APPS_PRIVILEGES.at(i).begin(),
- PM_MANY_APPS_PRIVILEGES.at(i).end())));
- privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
+ for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
+ TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
+ user.create();
+ uidStrings.push_back(user.getUidString());
+
+ for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
+ AppInstallHelper app("sm_test_12_" + std::to_string(p_i), user.getUid());
+ // Shift privileges, so same app_id for different users doesn't have same privileges
+ app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
+ expectedPolicyCount += app.getPrivileges().size();
+ userAppIdToAIH.emplace(std::make_pair(user.getUid(), app.getAppId()), std::move(app));
};
-
- users2AppsMap.insert(std::make_pair(username, apps2PrivsMap));
+ usernameToTTU.emplace(user.getUserName(), std::move(user));
};
- users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP,
- std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
+ TemporaryTestUser &adminUserToSwitch = usernameToTTU.at(adminNameToSwitch);
- privileges_count += 2;
- //TEST DATA END
+ AppInstallHelper privManager("sm_test_12_priv_manager", adminUserToSwitch.getUid());
+ std::string privManagerAppId = privManager.getAppId();
+ privManager.addPrivilege(SELF_PRIVILEGE);
+ privManager.addPrivilege(ADMIN_PRIVILEGE);
+ expectedPolicyCount += privManager.getPrivileges().size();
- SynchronizationPipe pipe;
- pid_t pid = fork();
+ userAppIdToAIH.emplace(std::make_pair(adminUserToSwitch.getUid(), privManager.getAppId()),
+ std::move(privManager));
- if (pid != 0) { //parent process
- pipe.claimParentEp();
- std::vector<TemporaryTestUser> users = {
- TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
- };
-
- users.at(0).create();
- users.at(1).create();
- //Install apps for both users
- for(const auto &user : users) {
- for(const auto &app : users2AppsMap.at(user.getUserName())) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(user.getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
-
- //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
- };
+ std::vector<ScopedInstaller> scopedInstallations;
+ for (const auto &userAppIdAIH : userAppIdToAIH) {
+ scopedInstallations.emplace_back(ScopedInstaller(userAppIdAIH.second));
+ }
- //Start child process
- pipe.post();
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+ if (pid != 0) { //parent process
waitPid(pid);
-
- for (auto &user : users)
- user.remove();
-
} else { //child process
- pipe.claimChildEp();
- pipe.wait();
-
- uid_t adminUid;
- gid_t adminGid;
- PasswdAccess::allUser(usernames.at(1), adminUid, adminGid);
- std::string adminUidStr = std::to_string(adminUid);
- uid_t normalUid = PasswdAccess::uid(usernames.at(0));
- std::string normalUidStr = std::to_string(normalUid);
- register_current_process_as_privilege_manager(adminUid, true);
-
- //change uid to normal user
- int result = drop_root_privileges(adminUid, adminGid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
+ Api::setProcessLabel(privManagerAppId);
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
+ adminUserToSwitch.getGid()) == 0,
+ "drop_root_privileges failed");
std::vector<PolicyEntry> policyEntries;
- //this call should succeed as the calling user is privileged
Api::getPolicy(PolicyEntry(), policyEntries);
-
RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == expectedPolicyCount,
+ "Number of policies doesn't match - should be: " << expectedPolicyCount
+ << " and is " << policyEntries.size());
for (const auto &policyEntry : policyEntries) {
+ // Expect policy for all users to be returned
if (oldPolicySet.count(policyEntry))
continue;
-
std::string user = policyEntry.getUser();
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
- RUNNER_ASSERT_MSG(user == normalUidStr || user == adminUidStr, "Unexpected user: " << user);
+ auto uidStringIt = std::find(uidStrings.begin(), uidStrings.end(), user);
+ RUNNER_ASSERT_MSG(uidStringIt != uidStrings.end(), "Unexpected user: " << user);
- std::string uidStrToLook = user == normalUidStr ? usernames.at(0) : usernames.at(1);
+ auto userAppIdToAIHIt = userAppIdToAIH.find(
+ std::make_pair(static_cast<uid_t>(std::stoi(user)), app));
+ RUNNER_ASSERT_MSG(userAppIdToAIHIt != userAppIdToAIH.end(),
+ "Unknown app " << app << " for user " << user);
- try {
- std::set<std::string>::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege);
- if (tmp == users2AppsMap.at(uidStrToLook).at(app).end())
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
- } catch (const std::invalid_argument& e) {
- RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
- };
- };
+ AppInstallHelper &aih = userAppIdToAIHIt->second;
+ auto privs = aih.getPrivileges();
+ auto appPrivileges = aih.getPrivileges();
+ auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
+ RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
+ "Unexpected privilege " << privilege << " for app " << app);
+ };
exit(0);
};
}
RUNNER_CHILD_TEST(security_manager_13_privacy_manager_fetch_policy_after_update_unprivileged)
{
- //TEST DATA
- const std::vector<std::string> usernames = {"sm_test_13_user_name_1", "sm_test_13_user_name_2"};
+ std::string normalName = "sm_test_13_user_name_normal";
+ std::string adminName = "sm_test_13_user_name_admin";
+ const std::vector<UserInfo> userInfos = {{normalName,GUM_USERTYPE_NORMAL},
+ {adminName, GUM_USERTYPE_ADMIN}};
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
+ std::map<std::string, TemporaryTestUser> usernameToTTU;
+ std::map<uid_t, std::vector<AppInstallHelper>> uidToAIHs;
+ unsigned expectedPolicyCount = 0;
+ std::string privManagerAppId;
- for (const auto &username : usernames) {
+ for (unsigned int u_i = 0; u_i < userInfos.size(); u_i++) {
+ //Only entries for one of the users will be listed
+ TemporaryTestUser user(userInfos[u_i].userName, userInfos[u_i].userType);
+ user.create();
- for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- PM_MANY_APPS.at(i), std::set<std::string>(
- PM_MANY_APPS_PRIVILEGES.at(i).begin(),
- PM_MANY_APPS_PRIVILEGES.at(i).end())));
+ for (unsigned int p_i = 0; p_i < TEST_PRIVILEGES.size(); p_i++) {
+ AppInstallHelper app("sm_test_13_" + std::to_string(p_i), user.getUid());
+ // Shift privileges, so same app_id for different user doesn't have same privileges
+ app.addPrivileges(TEST_PRIVILEGES.at((p_i + u_i) % TEST_PRIVILEGES.size()));
+ expectedPolicyCount += app.getPrivileges().size();
+ uidToAIHs[user.getUid()].emplace_back(std::move(app));
};
+ AppInstallHelper privManager("sm_test_13_priv_manager", user.getUid());
+ privManagerAppId = privManager.getAppId();
+ privManager.addPrivilege(SELF_PRIVILEGE);
+ expectedPolicyCount += privManager.getPrivileges().size();
+ uidToAIHs[user.getUid()].emplace_back(std::move(privManager));
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
+ usernameToTTU.emplace(user.getUserName(), std::move(user));
};
- users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
-
- //TEST DATA END
-
- pid_t pid[2];
- SynchronizationPipe sync[2];
- std::vector<PolicyEntry> policyEntries;
-
- pid[0] = fork();
-
- if (pid[0] == 0) { //child #1 process
- sync[0].claimChildEp();
- sync[0].wait();
-
- uid_t uid; gid_t gid;
- PasswdAccess::allUser(usernames.at(0), uid, gid);
- register_current_process_as_privilege_manager(uid);
+ std::vector<ScopedInstaller> scopedInstallations;
+ for (const auto &userAIHs : uidToAIHs) {
+ for (const auto &aih : userAIHs.second)
+ scopedInstallations.emplace_back(ScopedInstaller(aih));
+ }
- //change uid to normal user
- int result = drop_root_privileges(uid, gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ TemporaryTestUser &adminUser = usernameToTTU.at(adminName);
+ TemporaryTestUser &normalUser = usernameToTTU.at(normalName);
- PolicyEntry filter;
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
+ if (pid == 0) { //child #1 process
+ Api::setProcessLabel(privManagerAppId);
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(normalUser.getUid(), normalUser.getGid()) == 0,
+ "drop_root_privileges failed");
+ auto &app1 = uidToAIHs[normalUser.getUid()][0];
+ auto &app2 = uidToAIHs[normalUser.getUid()][0];
PolicyRequest policyRequest;
-
PolicyEntry policyEntry(
- PM_MANY_APPS[0],
- std::to_string(uid),
- "http://tizen.org/privilege/internet"
+ app1.getAppId(),
+ normalUser.getUidString(),
+ app1.getPrivileges()[0]
);
policyEntry.setLevel("Deny");
policyRequest.addEntry(policyEntry);
policyEntry = PolicyEntry(
- PM_MANY_APPS[1],
- std::to_string(uid),
- "http://tizen.org/privilege/display"
+ app2.getAppId(),
+ normalUser.getUidString(),
+ app1.getPrivileges()[1]
);
policyEntry.setLevel("Deny");
-
policyRequest.addEntry(policyEntry);
Api::sendPolicy(policyRequest);
exit(0);
- } else { //parent process
- sync[0].claimParentEp();
- pid[1] = fork();
-
- if (pid[1] == 0) { //child #2 process
- sync[1].claimChildEp();
- sync[1].wait();
-
- uid_t target_uid = PasswdAccess::uid(usernames.at(0));
- uid_t my_uid;
- gid_t my_gid;
- PasswdAccess::allUser(usernames.at(1), my_uid, my_gid);
-
- register_current_process_as_privilege_manager(my_uid);
-
- //change uid to normal user
- int result = drop_root_privileges(my_uid, my_gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ } else {
+ waitPid(pid);
+ pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >=0, "Fork failed");
+ if (pid == 0) { //child #2 process
+ Api::setProcessLabel(privManagerAppId);
+ // Admin user, but in context of app, which doesn't have usermanagement privilege
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
+ "drop_root_privileges failed");
PolicyEntry filter = PolicyEntry(
SECURITY_MANAGER_ANY,
- std::to_string(target_uid),
+ normalUser.getUidString(),
SECURITY_MANAGER_ANY
);
-
+ std::vector<PolicyEntry> policyEntries;
//U2 requests contents of U1 privacy manager - should fail
Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
+ << policyEntries.size() << " entries");
filter = PolicyEntry(
SECURITY_MANAGER_ANY,
//U2 requests contents of ADMIN bucket - should fail
Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but has "
+ << policyEntries.size() << " entries");
exit(0);
- } else { //parent
- sync[1].claimParentEp();
- std::vector<TemporaryTestUser> users = {
- TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false)
- };
-
- users.at(0).create();
- users.at(1).create();
-
- //Install apps for both users
- for(const auto &user : users2AppsMap) {
-
- for(const auto &app : user.second) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(users.at(0).getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
-
- //check_app_after_install(PM_MANY_APPS[i].c_str(), PM_MANY_APPS_PKGS[i].c_str());
- };
-
- //Start child #1
- sync[0].post();
- waitPid(pid[0]);
-
- //Start child #2
- sync[1].post();
- waitPid(pid[1]);
-
- for (auto &user : users)
- user.remove();
- };
- };
+ } else {
+ waitPid(pid);
+ }
+ }
}
RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_for_admin)
{
- //TEST DATA
- const std::vector<std::string> usernames = {"sm_test_14_user_name_1", "sm_test_14_user_name_2"};
- unsigned int privileges_count = 0;
-
- std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
- std::map<std::string, std::set<std::string>> apps2PrivsMap;
-
- for (const auto &username : usernames) {
-
- for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
- apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
- PM_MANY_APPS.at(i), std::set<std::string>(
- PM_MANY_APPS_PRIVILEGES.at(i).begin(),
- PM_MANY_APPS_PRIVILEGES.at(i).end())));
- privileges_count+=PM_MANY_APPS_PRIVILEGES.at(i).size();
- };
-
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
- };
+ TemporaryTestUser adminUserToSwitch("sm_test_14_user_name_admin", GUM_USERTYPE_ADMIN);
+ adminUserToSwitch.create();
- users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE}));
+ AppInstallHelper privManager("sm_test_14_priv_manager", adminUserToSwitch.getUid());
+ privManager.addPrivilege(ADMIN_PRIVILEGE);
- privileges_count += 2;
- //TEST DATA END
- SynchronizationPipe pipe;
+ ScopedInstaller privManagerInstall(privManager);
pid_t pid = fork();
if (pid != 0) {
- pipe.claimParentEp();
- std::vector<TemporaryTestUser> users = {
- TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
- };
-
- users.at(0).create();
- users.at(1).create();
-
- //Install apps for both users
- for(const auto &user : users) {
-
- for(const auto &app : users2AppsMap.at(user.getUserName())) {
- InstallRequest requestInst;
- requestInst.setAppId(app.first.c_str());
- try {
- requestInst.setPkgId(PM_MANY_APPS_PKGS.at(app.first).package.c_str());
- } catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Couldn't find package for app: " << app.first);
- };
- requestInst.setUid(user.getUid());
-
- for (const auto &privilege : app.second) {
- requestInst.addPrivilege(privilege.c_str());
- };
-
- Api::install(requestInst);
- };
- };
-
- //Start child process
- pipe.post();
waitPid(pid);
-
- //switch back to root
- for (auto &user : users)
- user.remove();
-
} else { //child process
- pipe.claimChildEp();
- pipe.wait();
-
- uid_t uid; gid_t gid;
- PasswdAccess::allUser(usernames.at(1), uid, gid);
- register_current_process_as_privilege_manager(uid, true);
-
- //change uid to normal user
- int result = drop_root_privileges(uid, gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ Api::setProcessLabel(privManager.getAppId());
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUserToSwitch.getUid(),
+ adminUserToSwitch.getGid()) == 0,
+ "drop_root_privileges failed");
- PolicyRequest *policyRequest = new PolicyRequest();
- PolicyEntry filter;
+ PolicyRequest setPolicyRequest;
std::vector<PolicyEntry> policyEntries;
- //this call should succeed as the calling user is privileged
- Api::getPolicyForSelf(filter, policyEntries);
- unsigned int policyNum = policyEntries.size();
+ const std::string internetPriv = "http://tizen.org/privilege/internet";
+ const std::string displayPriv = "http://tizen.org/privilege/display";
- PolicyEntry policyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/internet"
- );
- policyEntry.setMaxLevel("Deny");
+ PolicyEntry internetPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, internetPriv);
+ internetPolicyEntry.setMaxLevel("Deny");
+ setPolicyRequest.addEntry(internetPolicyEntry);
- policyRequest->addEntry(policyEntry);
- policyEntry = PolicyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/display"
- );
- policyEntry.setMaxLevel("Deny");
+ PolicyEntry displayPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, displayPriv);
+ displayPolicyEntry.setMaxLevel("Deny");
+ setPolicyRequest.addEntry(displayPolicyEntry);
- policyRequest->addEntry(policyEntry);
- Api::sendPolicy(*policyRequest);
- Api::getPolicyForAdmin(filter, policyEntries);
+ Api::sendPolicy(setPolicyRequest);
- RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: "
- << policyNum + 2 << " and is " << policyEntries.size());
+ Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2"
+ " and is " << policyEntries.size());
- delete policyRequest;
- policyRequest = new PolicyRequest();
- policyEntry = PolicyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/internet"
- );
- policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
- policyRequest->addEntry(policyEntry);
-
- policyEntry = PolicyEntry(
- SECURITY_MANAGER_ANY,
- SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/display"
- );
- policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
+ PolicyRequest delPolicyRequest;
- policyRequest->addEntry(policyEntry);
- Api::sendPolicy(*policyRequest);
+ internetPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
+ delPolicyRequest.addEntry(internetPolicyEntry);
- policyEntries.clear();
- Api::getPolicyForAdmin(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0 and is " << policyEntries.size());
+ displayPolicyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
+ delPolicyRequest.addEntry(displayPolicyEntry);
- delete policyRequest;
+ Api::sendPolicy(delPolicyRequest);
+ policyEntries.clear();
+ Api::getPolicyForAdmin(PolicyEntry(), policyEntries);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Number of policies doesn't match - should be: 0"
+ " and is " << policyEntries.size());
exit(0);
};
-
}
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
{
- AppInstallHelper app("security_manager_15_update");
- const char *const update_privilege = "http://tizen.org/privilege/led";
- const char *const check_start_bucket = "ADMIN";
- const std::string username("sm_test_15_username");
- PolicyRequest addPolicyRequest;
- CynaraTestAdmin::Admin admin;
- ScopedProcessLabel keepLabel;
-
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
- user.create();
+ const std::string updatePriv = "http://tizen.org/privilege/led";
- app.createInstallDir();
- InstallRequest inst;
- inst.setAppId(app.getAppId());
- inst.setPkgId(app.getPkgId());
- Api::install(inst);
+ TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
+ adminUser.create();
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- register_current_process_as_privilege_manager(user.getUid(), true);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
+ AppInstallHelper updatedApp("security_manager_15_update");
+ ScopedInstaller updatedAppInstall(updatedApp);
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+ AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
+ privManager.addPrivilege(ADMIN_PRIVILEGE);
+ ScopedInstaller privManagerInstall(privManager);
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
+ if (pid != 0) { //parent process
waitPid(pid);
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("ADMIN", false, updatedApp.generateAppLabel().c_str(),
+ adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
+ nullptr);
+ } else {
+ Api::setProcessLabel(privManager.getAppId());
- admin.adminCheck(check_start_bucket, false, app.generateAppLabel().c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
- }
- if(pid == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
+ "drop_root_privileges failed");
- PolicyEntry entry(app.getAppId(), std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ PolicyEntry entry(updatedApp.getAppId(), adminUser.getUidString(), updatePriv);
entry.setMaxLevel("Allow");
-
+ PolicyRequest addPolicyRequest;
addPolicyRequest.addEntry(entry);
Api::sendPolicy(addPolicyRequest);
exit(0);
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
{
- const char *const update_other_app_id = "security_manager_15_update_other_app_id";
- const char *const update_other_pkg_id = "security_manager_15_update_other_pkg_id";
- const char *const update_privilege = "http://tizen.org/privilege/led";
- const char *const check_start_bucket = "ADMIN";
- const std::string username("sm_test_15_username");
- PolicyRequest addPolicyRequest;
- CynaraTestAdmin::Admin admin;
- ScopedProcessLabel keepLabel;
+ const std::string updatePriv = "http://tizen.org/privilege/led";
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
+ TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN);
+ adminUser.create();
- int pipefd[2];
- pid_t pid;
- int result = 0;
+ AppInstallHelper app("security_manager_15");
+ ScopedInstaller appInstall(app);
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_ADMIN, false);
- user.create();
-
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- register_current_process_as_privilege_manager(user.getUid(), true);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+ AppInstallHelper privManager("security_manager_15_priv_manager", adminUser.getUid());
+ privManager.addPrivilege(ADMIN_PRIVILEGE);
+ ScopedInstaller privManagerInstall(privManager);
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
+ if (pid != 0) {
waitPid(pid);
-
- admin.adminCheck(check_start_bucket, false, generateProcessLabel(update_other_app_id, update_other_pkg_id).c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
- }
- if(pid == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- // use wildcard as appId
- PolicyEntry entry(SECURITY_MANAGER_ANY, std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("ADMIN", false, app.generateAppLabel().c_str(),
+ adminUser.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_ALLOW,
+ nullptr);
+ } else {
+ Api::setProcessLabel(privManager.getAppId());
+ RUNNER_ASSERT_MSG(drop_root_privileges(adminUser.getUid(), adminUser.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ PolicyEntry entry(SECURITY_MANAGER_ANY, adminUser.getUidString(), updatePriv);
entry.setMaxLevel("Allow");
+ PolicyRequest addPolicyRequest;
addPolicyRequest.addEntry(entry);
Api::sendPolicy(addPolicyRequest);
exit(0);
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
{
- AppInstallHelper app("security_manager_15_update");
- const char *const update_privilege = "http://tizen.org/privilege/led";
- const char *const check_start_bucket = "";
- const std::string username("sm_test_15_username");
- PolicyRequest addPolicyRequest;
- CynaraTestAdmin::Admin admin;
- ScopedProcessLabel keepLabel;
+ const std::string updatePriv = "http://tizen.org/privilege/led";
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser user("sm_test_15_username", GUM_USERTYPE_NORMAL);
user.create();
- app.createInstallDir();
- InstallRequest inst;
- inst.setAppId(app.getAppId());
- inst.setPkgId(app.getPkgId());
- Api::install(inst);
+ AppInstallHelper app("security_manager_15");
+ ScopedInstaller appInstall(app);
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- register_current_process_as_privilege_manager(user.getUid(), false);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+ AppInstallHelper privManager("security_manager_15_priv_manager", user.getUid());
+ privManager.addPrivilege(SELF_PRIVILEGE);
+ ScopedInstaller privManagerInstall(privManager);
+ pid_t pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0) {
waitPid(pid);
-
- admin.adminCheck(check_start_bucket, false, app.generateAppLabel().c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
- }
- if(pid == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- PolicyEntry entry(app.getAppId(), std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
+ updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
+ } else {
+ Api::setProcessLabel(privManager.getAppId());
+ RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
entry.setLevel("Allow");
+ PolicyRequest addPolicyRequest;
addPolicyRequest.addEntry(entry);
Api::sendPolicy(addPolicyRequest);
exit(0);
RUNNER_CHILD_TEST(security_manager_16_policy_levels_get)
{
- const std::string username("sm_test_16_user_cynara_policy");
- CynaraTestAdmin::Admin admin;
- int pipefd[2];
- pid_t pid;
- int result = 0;
-
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser user("sm_test_16_user_name", GUM_USERTYPE_NORMAL);
user.create();
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
+ if (pid != 0) {
waitPid(pid);
- }
- if(pid == 0)
- {
- int ret;
+ } else {
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
+ "drop_root_privileges failed");
+
char** levels;
- std::string allow_policy, deny_policy;
size_t count;
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
-
- //become admin privacy manager manager
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
-
- // 3 should be there when ask-user is installed
- ret = security_manager_policy_levels_get(&levels, &count);
-
+ int ret = security_manager_policy_levels_get(&levels, &count);
RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
"Invlid return code: " << ret);
+ std::unique_ptr<char *, std::function<void(char**)>> descriptionsPtr(levels,
+ [count](char **levels) { security_manager_policy_levels_free(levels, count);});
- RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast<int>(count));
+ RUNNER_ASSERT_MSG(count >= 2, "Invalid number of policy levels. Should be 3,"
+ " instead there is: " << count);
- deny_policy = std::string(levels[0]);
- allow_policy = std::string(levels[count-1]);
+ std::string denyPolicy = std::string(levels[0]);
+ std::string allowPolicy = std::string(levels[count-1]);
// first should always be Deny
- RUNNER_ASSERT_MSG(deny_policy.compare("Deny") == 0,
+ RUNNER_ASSERT_MSG(denyPolicy.compare("Deny") == 0,
"Invalid first policy level. Should be Deny, instead there is: " << levels[0]);
// last should always be Allow
- RUNNER_ASSERT_MSG(allow_policy.compare("Allow") == 0,
+ RUNNER_ASSERT_MSG(allowPolicy.compare("Allow") == 0,
"Invalid last policy level. Should be Allow, instead there is: " << levels[count-1]);
-
- security_manager_policy_levels_free(levels, count);
exit(0);
}
}
-RUNNER_CHILD_TEST(security_manager_17_privacy_manager_delete_policy_for_self)
+RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self)
{
- AppInstallHelper app("security_manager_17_update");
- const char *const update_privilege = "http://tizen.org/privilege/led";
- const char *const check_start_bucket = "";
- const std::string username("sm_test_17_username");
- PolicyRequest addPolicyRequest;
- CynaraTestAdmin::Admin admin;
+ const std::string updatePriv = "http://tizen.org/privilege/led";
- struct message {
- uid_t uid;
- gid_t gid;
- } msg;
-
- int pipefd[2];
- int pipefd2[2];
- pid_t pid[2];
- int result = 0;
- ScopedProcessLabel keepLabel;
-
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
- RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
-
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
+ TemporaryTestUser user("sm_test_17a_username", GUM_USERTYPE_NORMAL);
user.create();
- app.createInstallDir();
- InstallRequest inst;
- inst.setAppId(app.getAppId());
- inst.setPkgId(app.getPkgId());
- Api::install(inst);
-
- pid[0] = fork();
- RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed");
- if (pid[0] != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
+ AppInstallHelper app("security_manager_17a");
+ ScopedInstaller appInstall(app);
- register_current_process_as_privilege_manager(user.getUid(), false);
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
- waitPid(pid[0]);
+ SynchronizationPipe synchPipe;
+ pid_t pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0) {
+ synchPipe.claimParentEp();
- admin.adminCheck(check_start_bucket, false, app.generateAppLabel().c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
+ synchPipe.wait();
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
+ updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
+ synchPipe.post();
- pid[1] = fork();
- if (pid[1] != 0)//parent process
- {
- FdUniquePtr pipeptr(pipefd2+1);
- close(pipefd2[0]);
+ synchPipe.wait();
+ admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
+ updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
+ waitPid(pid);
+ } else {
+ synchPipe.claimChildEp();
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
+ "drop_root_privileges failed");
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
+ PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
+ entry.setLevel("Allow");
+ PolicyRequest addPolicyRequest;
+ addPolicyRequest.addEntry(entry);
+ Api::sendPolicy(addPolicyRequest);
+ synchPipe.post();
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+ synchPipe.wait();
+ PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
+ deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
+ PolicyRequest deletePolicyRequest;
+ deletePolicyRequest.addEntry(deleteEntry);
+ Api::sendPolicy(deletePolicyRequest);
+ synchPipe.post();
- waitPid(pid[1]);
+ exit(0);
+ }
+}
- admin.adminCheck(check_start_bucket, false, app.generateAppLabel().c_str(),
- std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
- }
- if(pid[1] == 0)
- {
- FdUniquePtr pipeptr(pipefd2);
- close(pipefd2[1]);
+RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self)
+{
+ const std::string updatePriv = "http://tizen.org/privilege/led";
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+ TemporaryTestUser user("sm_test_17b_username", GUM_USERTYPE_NORMAL);
+ user.create();
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ AppInstallHelper app("security_manager_17b");
+ ScopedInstaller appInstall(app);
- // delete this entry
- PolicyRequest deletePolicyRequest;
- PolicyEntry deleteEntry(app.getAppId(), std::to_string(static_cast<int>(msg.uid)), update_privilege);
- deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
+ AppInstallHelper privManager("security_manager_17b_priv_manager", user.getUid());
+ privManager.addPrivilege(SELF_PRIVILEGE);
+ ScopedInstaller privManagerInstall(privManager);
- deletePolicyRequest.addEntry(deleteEntry);
- Api::sendPolicy(deletePolicyRequest);
- exit(0);
- }
- }
- if(pid[0] == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
+ SynchronizationPipe synchPipe;
+ pid_t pid = fork();
+ RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+ if (pid != 0) {
+ synchPipe.claimParentEp();
+ synchPipe.wait();
+ CynaraTestAdmin::Admin admin;
+ admin.adminCheck("", false, app.generateAppLabel().c_str(), user.getUidString().c_str(),
+ updatePriv.c_str(), CYNARA_ADMIN_ALLOW, nullptr);
+ synchPipe.post();
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+ synchPipe.wait();
+ admin.adminCheck("", false, app.generateAppLabel().c_str(),
+ user.getUidString().c_str(), updatePriv.c_str(), CYNARA_ADMIN_DENY, nullptr);
+ waitPid(pid);
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ } else {
+ synchPipe.claimChildEp();
+ Api::setProcessLabel(privManager.getAppId());
+ RUNNER_ASSERT_ERRNO_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
+ "drop_root_privileges failed");
- PolicyEntry entry(app.getAppId(), std::to_string(static_cast<int>(msg.uid)), update_privilege);
+ PolicyEntry entry(app.getAppId(), user.getUidString(), updatePriv);
entry.setLevel("Allow");
-
+ PolicyRequest addPolicyRequest;
addPolicyRequest.addEntry(entry);
Api::sendPolicy(addPolicyRequest);
+ synchPipe.post();
+
+ synchPipe.wait();
+ PolicyRequest deletePolicyRequest;
+ PolicyEntry deleteEntry(app.getAppId(), user.getUidString(), updatePriv);
+ deleteEntry.setLevel(SECURITY_MANAGER_DELETE);
+ deletePolicyRequest.addEntry(deleteEntry);
+ Api::sendPolicy(deletePolicyRequest);
+ synchPipe.post();
exit(0);
}
}
RUNNER_CHILD_TEST(security_manager_17_privacy_manager_fetch_whole_policy_for_self_filtered)
{
const std::string username("sm_test_17_user_name");
+ std::vector<AppInstallHelper> appHelpers;
+ std::vector<ScopedInstaller> scopedInstallations;
+ std::map<std::string, unsigned> privToCount;
+ unsigned policyCount = 0;
- struct message {
- uid_t uid;
- gid_t gid;
- unsigned int privileges_count;
- } msg;
+ TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
+ user.create();
+
+ for (unsigned int i = 0; i < TEST_PRIVILEGES.size(); i++) {
+ AppInstallHelper app("sm_test_17_" + std::to_string(i), user.getUid());
+ app.addPrivileges(TEST_PRIVILEGES[i]);
+ policyCount += app.getPrivileges().size();
+
+ appHelpers.emplace_back(std::move(app));
+ for (auto &priv: TEST_PRIVILEGES[i]) {
+ privToCount[priv]++;
+ }
+ }
- int pipefd[2];
- pid_t pid;
- int result = 0;
- ScopedProcessLabel keepLabel;
+ AppInstallHelper privManager("sm_test_17_priv_manager", user.getUid());
+ std::string privManagerAppId = privManager.getAppId();
+ privManager.addPrivilege(SELF_PRIVILEGE);
+ privToCount[SELF_PRIVILEGE]++;
+ policyCount += privManager.getPrivileges().size();
- RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+ appHelpers.emplace_back(std::move(privManager));
+ for (const auto &app : appHelpers)
+ scopedInstallations.emplace_back(std::move(ScopedInstaller(app)));
- pid = fork();
+ pid_t pid = fork();
RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
if (pid != 0)//parent process
{
- FdUniquePtr pipeptr(pipefd+1);
- close(pipefd[0]);
-
- TemporaryTestUser user(username, static_cast<GumUserType>(GUM_USERTYPE_NORMAL), false);
- user.create();
-
- unsigned int privileges_count = 0;
-
- for(unsigned int i = 0; i < PM_MANY_APPS.size(); ++i) {
- InstallRequest requestInst;
- requestInst.setAppId(PM_MANY_APPS[i].c_str());
- requestInst.setPkgId(PM_MANY_APPS_PKGS.at(PM_MANY_APPS[i]).package.c_str());
- requestInst.setUid(user.getUid());
-
- for (auto &priv : PM_MANY_APPS_PRIVILEGES.at(i)) {
- requestInst.addPrivilege(priv.c_str());
- };
-
- Api::install(requestInst);
- privileges_count += PM_MANY_APPS_PRIVILEGES.at(i).size();
- };
-
- register_current_process_as_privilege_manager(user.getUid(), false);
- //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
- ++privileges_count;
-
- //send info to child
- msg.uid = user.getUid();
- msg.gid = user.getGid();
- msg.privileges_count = privileges_count;
-
- ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
-
waitPid(pid);
- }
- if(pid == 0)
- {
- FdUniquePtr pipeptr(pipefd);
- close(pipefd[1]);
-
- ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
- RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+ } else {
+ Api::setProcessLabel(privManagerAppId);
+ RUNNER_ASSERT_MSG(drop_root_privileges(user.getUid(), user.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ for (const auto &privCount : privToCount) {
+ std::vector<PolicyEntry> policyEntries;
+ PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, privCount.first);
+ Api::getPolicy(filter, policyEntries);
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == privCount.second,
+ "Number of policies doesn't match - should be: " << privCount.second
+ << " and is " << policyEntries.size());
+ }
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
- result = drop_root_privileges(msg.uid, msg.gid);
- RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+ for (const auto &app : appHelpers) {
+ std::vector<PolicyEntry> policyEntries;
+ PolicyEntry filter(app.getAppId(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
+ Api::getPolicy(filter, policyEntries);
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
+ "Number of policies doesn't match - should be: " << app.getPrivileges().size()
+ << " and is " << policyEntries.size());
+ }
- // filter by privilege
std::vector<PolicyEntry> policyEntries;
- PolicyEntry filter(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/internet");
+ PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
Api::getPolicy(filter, policyEntries);
-
RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == policyCount,
+ "Number of policies doesn't match - should be: " << policyCount
+ << " and is " << policyEntries.size());
- // filter by other privilege
- policyEntries.clear();
- PolicyEntry filter2(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, "http://tizen.org/privilege/email");
- Api::getPolicy(filter2, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == 3, "Number of policies doesn't match - should be: 3 and is " << policyEntries.size());
-
- // filter by appId
- policyEntries.clear();
- PolicyEntry filter3(PM_MANY_APPS[4].c_str(), SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY);
- Api::getPolicy(filter3, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
- RUNNER_ASSERT_MSG(policyEntries.size() == 4, "Number of policies doesn't match - should be: 4 and is " << policyEntries.size());
+ exit(0);
}
}
RUNNER_CHILD_TEST(security_manager_18_privacy_manager_privacy_related_privileges_policy_install_remove)
{
+ const std::string askUserDescription = "Ask user";
TemporaryTestUser user("sm_test_18_username", GUM_USERTYPE_NORMAL);
user.create();
- AppInstallHelper helper("sm_test_18",
- user.getUid());
- helper.addPrivileges({
- "http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
- "http://tizen.org/privilege/account.read",
- "http://tizen.org/privilege/healthinfo"
- });
-
- PolicyEntry filter (helper.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
- std::vector<PolicyEntry> policyEntries;
+ AppInstallHelper app("sm_test_18", user.getUid());
+ app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
+ PolicyEntry filter (app.getAppId(), user.getUidString(), SECURITY_MANAGER_ANY);
+ std::vector<PolicyEntry> policyEntries;
{
- ScopedInstaller installer(helper);
- unsigned int privacyNum = 0;
- for (auto &priv : helper.getPrivileges()) {
- if (1 == privilege_info_is_privacy(priv.c_str()))
- ++privacyNum;
- };
+ ScopedInstaller installer(app);
+ unsigned int privacyNum = countPrivacyPrivileges(app.getPrivileges());
Api::getPolicy(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == helper.getPrivileges().size(),
- "Number of policy entries doesn't match; should be " << helper.getPrivileges().size() << " but is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == app.getPrivileges().size(),
+ "Number of policy entries doesn't match; should be " << app.getPrivileges().size()
+ << " but is " << policyEntries.size());
if (PolicyConfiguration::getIsAskuserEnabled() ) {
unsigned int privacyActNum = 0;
for (auto &entry : policyEntries)
- if (1 == privilege_info_is_privacy(entry.getPrivilege().c_str())) {
- RUNNER_ASSERT_MSG(entry.getCurrentLevel() == "Ask user", "Invalid policy setup; policy should be \"Ask user\" but is " << entry.getCurrentLevel());
+ if (isPrivilegePrivacy(entry.getPrivilege())) {
+ RUNNER_ASSERT_MSG(entry.getCurrentLevel() == askUserDescription,
+ "Invalid policy setup; policy should be \"Ask user\" but is "
+ << entry.getCurrentLevel());
++privacyActNum;
}
- RUNNER_ASSERT_MSG(privacyActNum == privacyNum, "Should be " << privacyNum << " privacy privileges, but is " << privacyActNum);
+ RUNNER_ASSERT_MSG(privacyActNum == privacyNum,
+ "Should be " << privacyNum << " privacy privileges,"
+ "but is " << privacyActNum);
}
}
policyEntries.clear();
-
Api::getPolicy(filter, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "After deinstallation, policy entries size should be 0, but is: " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0,
+ "After deinstallation, policy entries size should be 0,"
+ "but is: " << policyEntries.size());
}
-RUNNER_CHILD_TEST(security_manager_19_privacy_manager_privacy_related_privileges_policy_hybrid)
-{
+void test_privacy_related_privileges(bool isHybrid) {
+ const std::string askUserDescription = "Ask user";
TemporaryTestUser user("sm_test_19_username", GUM_USERTYPE_NORMAL);
user.create();
- AppInstallHelper helper1("sm_test_19_app_id_1",
- "sm_test_19_pkg_id",
- true,
- user.getUid(),
- "3.0",
- true); // hybrid package
-
- helper1.addPrivileges({
- "http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
- "http://tizen.org/privilege/account.read",
- "http://tizen.org/privilege/healthinfo"
- });
-
- AppInstallHelper helper2("sm_test_19_app_id_2",
- "sm_test_19_pkg_id",
- true,
- user.getUid(),
- "3.0",
- true); // hybrid package
-
- helper2.addPrivileges({
- "http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
- });
+ const std::string pkgId = "sm_test_19_pkg_id";
+
+ AppInstallHelper app1("sm_test_19_app_id_1", pkgId, user.getUid());
+ if (isHybrid)
+ app1.setHybrid();
+ app1.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
+ ScopedInstaller installer1(app1);
+
+ AppInstallHelper app2("sm_test_19_app_id_2", pkgId, user.getUid());
+ if (isHybrid)
+ app2.setHybrid();
+ app2.addPrivileges(TEST_PRIVACY_PRIVILEGES[1]);
+ ScopedInstaller installer2(app2);
+
+ int privacyCount1, privacyCount2;
+ if (!PolicyConfiguration::getIsAskuserEnabled()) {
+ privacyCount1 = 0;
+ privacyCount2 = 0;
+ } else {
+ privacyCount1 = countPrivacyPrivileges(app1.getPrivileges());
+ privacyCount2 = countPrivacyPrivileges(app2.getPrivileges());
+ }
std::vector<PolicyEntry> policyEntries;
-
PolicyEntry filter(SECURITY_MANAGER_ANY, user.getUidString(), SECURITY_MANAGER_ANY);
- {
- ScopedInstaller installer1(helper1);
- ScopedInstaller installer2(helper2);
-
- unsigned int privacyNum1 = 0, privacyNum2 = 0;
-
- for (auto &priv : helper1.getPrivileges()) {
- if (1 == privilege_info_is_privacy(priv.c_str()))
- ++privacyNum1;
- };
-
- for (auto &priv : helper2.getPrivileges()) {
- if (1 == privilege_info_is_privacy(priv.c_str()))
- ++privacyNum2;
- };
-
- Api::getPolicy(filter, policyEntries);
+ Api::getPolicy(filter, policyEntries);
- if (PolicyConfiguration::getIsAskuserEnabled() ) {
- unsigned int privacyAct1 = 0, privacyAct2 = 0;
- for (auto &entry : policyEntries) {
- RUNNER_ASSERT_MSG(entry.getAppId() == helper1.getAppId() || entry.getAppId() == helper2.getAppId(),
- "Invalid appId: should be either " << helper1.getAppId() << " or " << helper2.getAppId() << " but is " << entry.getAppId());
- if (1 == privilege_info_is_privacy(entry.getPrivilege().c_str())) {
- RUNNER_ASSERT_MSG(entry.getCurrentLevel() == "Ask user",
- "Invalid policy setup; policy should be \"Ask user\" but is " << entry.getCurrentLevel());
- if (entry.getAppId() == helper1.getAppId())
- ++privacyAct1;
- else
- ++privacyAct2;
- }
- }
- RUNNER_ASSERT_MSG(privacyNum1 == privacyAct1, "Should be " << privacyNum1 << " privacy privileges, but is " << privacyAct1);
- RUNNER_ASSERT_MSG(privacyNum2 == privacyAct2, "Should be " << privacyNum2 << " privacy privileges, but is " << privacyAct2);
+ int privacyAct1 = 0, privacyAct2 = 0;
+ for (auto &entry : policyEntries) {
+ RUNNER_ASSERT_MSG(entry.getAppId() == app1.getAppId() || entry.getAppId() == app2.getAppId(),
+ "Invalid appId: should be either " << app1.getAppId() << " or "
+ << app2.getAppId() << " but is " << entry.getAppId());
+ if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(entry.getPrivilege())) {
+ RUNNER_ASSERT_MSG(entry.getCurrentLevel() == askUserDescription,
+ "Invalid policy setup; policy should be \"Ask user\" but is "
+ << entry.getCurrentLevel());
+ if (entry.getAppId() == app1.getAppId())
+ ++privacyAct1;
+ else
+ ++privacyAct2;
}
}
+ RUNNER_ASSERT_MSG(privacyCount1 == privacyAct1, "Should be " << privacyCount1
+ << " privacy privileges, but is " << privacyAct1);
+ RUNNER_ASSERT_MSG(privacyCount2 == privacyAct2, "Should be " << privacyCount2
+ << " privacy privileges, but is " << privacyAct2);
}
-RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privielges_policy_admin_check)
+RUNNER_CHILD_TEST(security_manager_19a_privacy_manager_privacy_related_privileges_policy_hybrid)
{
+ test_privacy_related_privileges(true);
+}
+
+RUNNER_CHILD_TEST(security_manager_19b_privacy_manager_privacy_related_privileges_policy_no_hybrid)
+{
+ test_privacy_related_privileges(false);
+}
+
+RUNNER_CHILD_TEST(security_manager_20_privacy_manager_privacy_related_privileges_policy_admin_check)
+{
+ const std::string askUserDescription = "Ask user";
TemporaryTestUser user("sm_test_20_username", GUM_USERTYPE_NORMAL);
user.create();
- AppInstallHelper helper("sm_test_20",
- user.getUid());
-
- helper.addPrivileges({
- "http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/led",
- "http://tizen.org/privilege/callhistory.read", // privacy-related privileges start here
- "http://tizen.org/privilege/account.read",
- "http://tizen.org/privilege/healthinfo"
- });
+ AppInstallHelper app("sm_test_20", user.getUid());
+ app.addPrivileges(TEST_PRIVACY_PRIVILEGES[0]);
- ScopedInstaller installer(helper);
+ ScopedInstaller installer(app);
- if (PolicyConfiguration::getIsAskuserEnabled() ) {
- CynaraTestAdmin::Admin admin;
- int policyType = 0;
- admin.getPolicyTypeForDescription("Ask user", policyType);
- for (auto &priv : helper.getPrivileges()) {
- if (1 == privilege_info_is_privacy(priv.c_str())) {
- admin.adminCheck("", true, helper.generateAppLabel().c_str(), user.getUidString().c_str(), priv.c_str(), policyType, nullptr);
- }
+ CynaraTestAdmin::Admin admin;
+ int policyType = CYNARA_ADMIN_ALLOW;
+ int privacyPolicyType = -1;
+ if (PolicyConfiguration::getIsAskuserEnabled())
+ admin.getPolicyTypeForDescription(askUserDescription, privacyPolicyType);
+
+ for (auto &priv : app.getPrivileges()) {
+ if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(priv)) {
+ admin.adminCheck("", true, app.generateAppLabel().c_str(),
+ user.getUidString().c_str(), priv.c_str(), privacyPolicyType,
+ nullptr);
+ } else {
+ admin.adminCheck("", true, app.generateAppLabel().c_str(),
+ user.getUidString().c_str(), priv.c_str(), policyType, nullptr);
}
}
}
projects / platform / core / test / security-tests.git / commitdiff