Provide configuration for smack-privilege tests

Security-manager has empty configuration for smack privileges by default. To
test this functionality smack privilege tests provide their own configurations.

Change-Id: I71028202f00eb159ee8d4df76041a25b4be188b1

diff --git a/packaging/security-tests.spec b/packaging/security-tests.spec
index 76d554c..d7d6de7 100644 (file)
--- a/packaging/security-tests.spec
+++ b/packaging/security-tests.spec
@@ -30,7 +30,7 @@ BuildRequires: libcynara-creds-dbus-devel
 BuildRequires: libcynara-creds-gdbus-devel
 BuildRequires: libcynara-creds-sd-bus-devel
 BuildRequires: pkgconfig(libtzplatform-config)
-BuildRequires: boost-devel
+BuildRequires: pkgconfig(boost)
 BuildRequires: pkgconfig(vconf)
 BuildRequires: pkgconfig(libgum) >= 1.0.5
 BuildRequires: pkgconfig(security-privilege-manager)
@@ -45,6 +45,7 @@ Requires: toybox-symlinks-ping
 %global ckm_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/ckm-test/}%{!?TZ_SYS_SHARE:/usr/share/ckm-test/}
 %global ckm_rw_data_dir %{?TZ_SYS_DATA:%TZ_SYS_DATA/ckm/}%{!?TZ_SYS_DATA:/opt/data/ckm/}
 %global tz_backend_enabled %{?tz_backend:%tz_backend}%{!?tz_backend:OFF}
+%global sm_test_dir %{?TZ_SYS_SHARE:%TZ_SYS_SHARE/security-manager-test}%{!?TZ_SYS_SHARE:/usr/share/security-manager-test}
 
 %description
 Security tests repository - for tests that can't be kept together with code.
@@ -75,7 +76,8 @@ cmake . -DCMAKE_INSTALL_PREFIX=%{_prefix} \
         -DCKM_TEST_DIR=%{ckm_test_dir} \
         -DCKM_RW_DATA_DIR=%{ckm_rw_data_dir} \
         -DGLOBAL_APP_DIR=%{TZ_SYS_RW_APP} \
-        -DLOCAL_APP_DIR="%{TZ_SYS_HOME}/security_test_user/apps_rw"
+        -DLOCAL_APP_DIR="%{TZ_SYS_HOME}/security_test_user/apps_rw" \
+        -DSM_TEST_DIR="%{sm_test_dir}"
 make %{?jobs:-j%jobs}
 
 %pre
@@ -135,6 +137,7 @@ echo "security-tests postinst done ..."
 %{_prefix}/share/yaca-test
 %dir %{_prefix}/share/security-tests-cleanup-test
 %{_prefix}/share/security-tests-cleanup-test/*
+%{sm_test_dir}
 
 %postun
 id -u security_test_user 1>/dev/null 2>&1 && gum-utils -o -d --uid=`id -u security_test_user`

diff --git a/src/security-manager-tests/CMakeLists.txt b/src/security-manager-tests/CMakeLists.txt
index e00b5c8..703d034 100644 (file)
--- a/src/security-manager-tests/CMakeLists.txt
+++ b/src/security-manager-tests/CMakeLists.txt
@@ -17,6 +17,11 @@
 # @brief
 #
 
+IF(NOT DEFINED SM_TEST_DIR)
+    SET(SM_TEST_DIR "${SHARE_INSTALL_PREFIX}/security-manager-test")
+ENDIF(NOT DEFINED SM_TEST_DIR)
+ADD_DEFINITIONS("-DSM_TEST_DIR=\"${SM_TEST_DIR}\"")
+
 INCLUDE(FindPkgConfig)
 
 # Dependencies
@@ -31,7 +36,8 @@ PKG_CHECK_MODULES(SEC_MGR_TESTS_DEP
     sqlite3
     libcap
     dbus-1
-    libgum)
+    libgum
+    boost)
 
 
 SET(TARGET_SEC_MGR_TESTS "security-manager-tests")
@@ -103,4 +109,9 @@ INSTALL(DIRECTORY
 INSTALL(DIRECTORY
     ${PROJECT_SOURCE_DIR}/src/security-manager-tests/app_files/
     DESTINATION ${LOCAL_APP_DIR}
+)
+
+INSTALL(DIRECTORY
+    ${PROJECT_SOURCE_DIR}/src/security-manager-tests/smack-privileges
+    DESTINATION ${SM_TEST_DIR}
 )
\ No newline at end of file

diff --git a/src/security-manager-tests/smack-privileges/backup/.dummy b/src/security-manager-tests/smack-privileges/backup/.dummy
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/src/security-manager-tests/smack-privileges/empty/privilege-mapping/.dummy b/src/security-manager-tests/smack-privileges/empty/privilege-mapping/.dummy
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/src/security-manager-tests/smack-privileges/internet-only/privilege-mapping/priv-rules-default-template.smack b/src/security-manager-tests/smack-privileges/internet-only/privilege-mapping/priv-rules-default-template.smack
new file mode 100644 (file)
index 0000000..09c5be6
--- /dev/null
+++ b/src/security-manager-tests/smack-privileges/internet-only/privilege-mapping/priv-rules-default-template.smack
@@ -0,0 +1,2 @@
+~PROCESS~ ~PRIVILEGE~ w
+~PRIVILEGE~ ~PROCESS~ w

diff --git a/src/security-manager-tests/smack-privileges/internet-only/privilege-smack.list b/src/security-manager-tests/smack-privileges/internet-only/privilege-smack.list
new file mode 100644 (file)
index 0000000..933b073
--- /dev/null
+++ b/src/security-manager-tests/smack-privileges/internet-only/privilege-smack.list
@@ -0,0 +1 @@
+http://tizen.org/privilege/internet System::Privilege::Internet default
\ No newline at end of file

diff --git a/src/security-manager-tests/test_cases_smack_privileges.cpp b/src/security-manager-tests/test_cases_smack_privileges.cpp
index 6f049ba..3fa120e 100644 (file)
--- a/src/security-manager-tests/test_cases_smack_privileges.cpp
+++ b/src/security-manager-tests/test_cases_smack_privileges.cpp
@@ -15,6 +15,10 @@
  */
 
 #include <memory>
+#include <map>
+#include <cassert>
+
+#include <boost/filesystem.hpp>
 
 #include <tzplatform_config.h>
 
@@ -27,14 +31,25 @@
 #include <app_install_helper_ext.h>
 #include <sm_policy_request.h>
 #include <privilege_names.h>
+#include <sm_commons.h>
+#include <service_manager.h>
 
 using namespace SecurityManagerTest;
 using namespace PrivilegeNames;
 
 namespace {
 
+namespace fs = boost::filesystem;
+
 const uid_t OWNER_ID = tzplatform_getuid(TZ_SYS_DEFAULT_USER);
 
+const fs::path TEST_SETUP_PATH = SM_TEST_DIR "/smack-privileges";
+const fs::path BACKUP_SETUP_PATH = TEST_SETUP_PATH / "backup";
+
+constexpr char SM_POLICY_PATH[] = "/usr/share/security-manager/policy";
+constexpr char SM_SMACK_PRIV_MAPPING_SUBDIR[] = "/privilege-mapping";
+constexpr char SM_SMACK_PRIV_CONFIG[] = "privilege-smack.list";
+
 void changePolicy(const AppInstallHelper& app, const std::string& priv, const std::string &level) {
     PolicyRequest policyRequest;
     PolicyEntry entry(app.getAppId(), std::to_string(app.getUID()), priv);
@@ -43,12 +58,118 @@ void changePolicy(const AppInstallHelper& app, const std::string& priv, const st
     Api::sendPolicy(policyRequest);
 }
 
+enum class SmackPrivSetup {
+    ORIGINAL,
+    EMPTY,
+    INTERNET_ONLY,
+    // TODO test other configurations
+};
+
+// This is to ensure that original security-manager policy is restored after the group is finished
+class SmackPrivGroupEnv final : public DPL::Test::TestGroup {
+private:
+    class SmackPrivSetupMgr final {
+    public:
+        SmackPrivSetupMgr() :
+            m_currentSetup(SmackPrivSetup::ORIGINAL),
+            m_serviceManager("security-manager.service"),
+            m_setupMap({{ SmackPrivSetup::EMPTY, "empty" },
+                        { SmackPrivSetup::INTERNET_ONLY, "internet-only" }})
+        {
+        }
+        SmackPrivSetupMgr(const SmackPrivSetupMgr&) = delete;
+        SmackPrivSetupMgr& operator=(const SmackPrivSetupMgr&) = delete;
+        ~SmackPrivSetupMgr()
+        {
+            // restore setup
+            if (m_currentSetup != SmackPrivSetup::ORIGINAL) {
+                try {
+                    copySetup(BACKUP_SETUP_PATH, SM_POLICY_PATH);
+
+                    m_serviceManager.restartService();
+                } catch (...) {
+                    RUNNER_ERROR_MSG("Unknown exception occurred during backup restore.");
+                }
+            }
+        }
+
+        void install(SmackPrivSetup setup)
+        {
+            if (setup == m_currentSetup)
+                return;
+
+            // backup setup
+            if (m_currentSetup == SmackPrivSetup::ORIGINAL)
+                copySetup(SM_POLICY_PATH, BACKUP_SETUP_PATH);
+
+            copySetup(TEST_SETUP_PATH / m_setupMap.at(setup), SM_POLICY_PATH);
+            m_currentSetup = setup;
+
+            // restart SM
+            m_serviceManager.restartService();
+        }
+
+    private:
+        void copySetup(const boost::filesystem::path& src, const boost::filesystem::path& dst)
+        {
+            const auto srcConfig = src / SM_SMACK_PRIV_CONFIG;
+            const auto dstConfig = dst / SM_SMACK_PRIV_CONFIG;
+            const auto srcMappingSubdir = src / SM_SMACK_PRIV_MAPPING_SUBDIR;
+            const auto dstMappingSubdir = dst / SM_SMACK_PRIV_MAPPING_SUBDIR;
+
+            // remove dst
+            fs::remove(dstConfig);
+            fs::remove_all(dstMappingSubdir);
+
+            // copy
+            if (fs::exists(srcConfig))
+                fs::copy_file(srcConfig, dstConfig);
+
+            if (fs::exists(srcMappingSubdir)) {
+                fs::create_directory(dstMappingSubdir);
+                for (const auto& e: fs::recursive_directory_iterator(srcMappingSubdir))
+                    fs::copy(e.path(), dstMappingSubdir / fs::relative(e.path(), srcMappingSubdir));
+            }
+        }
+
+        SmackPrivSetup m_currentSetup;
+        ServiceManager m_serviceManager;
+        const std::map<SmackPrivSetup, std::string> m_setupMap;
+    };
+
+    static std::unique_ptr<SmackPrivSetupMgr> m_setupMgr;
+
+public:
+    void Init() override {
+        assert(!m_setupMgr);
+
+        m_setupMgr.reset(new SmackPrivSetupMgr());
+    }
+
+    static void Install(SmackPrivSetup setup)
+    {
+        assert(m_setupMgr);
+
+        m_setupMgr->install(setup);
+    }
+
+    void Finish() override {
+        assert(m_setupMgr);
+
+        m_setupMgr.reset();
+    }
+};
+
+std::unique_ptr<SmackPrivGroupEnv::SmackPrivSetupMgr> SmackPrivGroupEnv::m_setupMgr;
+
 } // namespace anonymous
 
-RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SMACK_PRIVILEGES)
+RUNNER_TEST_GROUP_INIT_ENV(SECURITY_MANAGER_SMACK_PRIVILEGES, SmackPrivGroupEnv)
 
 RUNNER_CHILD_TEST(smack_privileges_10_no_privileges)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     AppInstallHelperExt app("sm_test_sp_10_app");
     {
         ScopedInstaller appInstall(app);
@@ -65,6 +186,8 @@ RUNNER_CHILD_TEST(smack_privileges_10_no_privileges)
 
 RUNNER_CHILD_TEST(smack_privileges_20_internet_privilege)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     AppInstallHelperExt app("sm_test_sp_20_app");
     app.addPrivileges({PRIV_INTERNET});
     {
@@ -87,6 +210,8 @@ RUNNER_CHILD_TEST(smack_privileges_20_internet_privilege)
 
 RUNNER_CHILD_TEST(smack_privileges_30_one_after_another)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     AppInstallHelperExt app("sm_test_sp_30_app");
     app.addPrivileges({PRIV_INTERNET});
     {
@@ -116,6 +241,8 @@ RUNNER_CHILD_TEST(smack_privileges_30_one_after_another)
 
 RUNNER_CHILD_TEST(smack_privileges_40_different_users_one_after_another)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_40_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -152,6 +279,8 @@ RUNNER_CHILD_TEST(smack_privileges_40_different_users_one_after_another)
 
 RUNNER_CHILD_TEST(smack_privileges_50_same_user_simultaneously)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     AppInstallHelperExt app("sm_test_sp_50_app", OWNER_ID);
     app.addPrivileges({PRIV_INTERNET});
     {
@@ -176,6 +305,8 @@ RUNNER_CHILD_TEST(smack_privileges_50_same_user_simultaneously)
 
 RUNNER_CHILD_TEST(smack_privileges_60_same_user_interchangeably)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     AppInstallHelperExt app("sm_test_sp_60_app", OWNER_ID);
     app.addPrivileges({PRIV_INTERNET});
     {
@@ -209,6 +340,8 @@ RUNNER_CHILD_TEST(smack_privileges_60_same_user_interchangeably)
 
 RUNNER_CHILD_TEST(smack_privileges_70_different_users_simultaneously)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_70_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -254,6 +387,8 @@ RUNNER_CHILD_TEST(smack_privileges_70_different_users_simultaneously)
 
 RUNNER_CHILD_TEST(smack_privileges_80_uninstall_local_while_running)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     AppInstallHelperExt app("sm_test_sp_80_app");
     app.addPrivileges({PRIV_INTERNET});
     {
@@ -283,6 +418,8 @@ RUNNER_CHILD_TEST(smack_privileges_80_uninstall_local_while_running)
 
 RUNNER_CHILD_TEST(smack_privileges_90_user_removal)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_90_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -313,6 +450,8 @@ RUNNER_CHILD_TEST(smack_privileges_90_user_removal)
 
 RUNNER_CHILD_TEST(smack_privileges_100_hybrid_app)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     AppInstallHelperExt app("sm_test_sp_100_app");
     app.addPrivileges({PRIV_INTERNET});
     app.setHybrid();
@@ -336,6 +475,8 @@ RUNNER_CHILD_TEST(smack_privileges_100_hybrid_app)
 
 RUNNER_CHILD_TEST(smack_privileges_110_hybridity_change)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     AppInstallHelperExt app("sm_test_sp_110_app");
     app.addPrivileges({PRIV_INTERNET});
     {
@@ -381,6 +522,8 @@ RUNNER_CHILD_TEST(smack_privileges_110_hybridity_change)
 
 RUNNER_CHILD_TEST(smack_privileges_120_policy_change_while_running)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_120_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -415,6 +558,8 @@ RUNNER_CHILD_TEST(smack_privileges_120_policy_change_while_running)
 
 RUNNER_CHILD_TEST(smack_privileges_130_different_users_and_policies)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_130_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -452,6 +597,8 @@ RUNNER_CHILD_TEST(smack_privileges_130_different_users_and_policies)
 
 RUNNER_CHILD_TEST(smack_privileges_140_two_users_sequence)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_140_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -495,6 +642,8 @@ RUNNER_CHILD_TEST(smack_privileges_140_two_users_sequence)
 
 RUNNER_CHILD_TEST(smack_privileges_150_independent_apps)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_150_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -528,6 +677,8 @@ RUNNER_CHILD_TEST(smack_privileges_150_independent_apps)
 
 RUNNER_CHILD_TEST(smack_privileges_160_nonhybrid_package)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_160_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -579,6 +730,8 @@ RUNNER_CHILD_TEST(smack_privileges_160_nonhybrid_package)
 
 RUNNER_CHILD_TEST(smack_privileges_170_hybrid_package)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_170_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();
 
@@ -630,6 +783,8 @@ RUNNER_CHILD_TEST(smack_privileges_170_hybrid_package)
 
 RUNNER_CHILD_TEST(smack_privileges_180_hybrid_package_both_apps_privileged)
 {
+    SmackPrivGroupEnv::Install(SmackPrivSetup::INTERNET_ONLY);
+
     TemporaryTestUser testUser("sm_test_180_user_name", GUM_USERTYPE_NORMAL, true);
     testUser.create();