-DAPP_USER="security_test_user" \
-DCKM_TEST_DIR=%{ckm_test_dir} \
-DCKM_RW_DATA_DIR=%{ckm_rw_data_dir} \
- -DGLOBAL_APP_DIR=%{TZ_SYS_RW_APP}
+ -DGLOBAL_APP_DIR=%{TZ_SYS_RW_APP} \
+ -DLOCAL_APP_DIR="%{TZ_SYS_HOME}/security_test_user/apps_rw"
make %{?jobs:-j%jobs}
%install
/etc/smack/test_smack_rules
/etc/smack/test_smack_rules_lnk
%{TZ_SYS_RW_APP}*
+%{TZ_SYS_HOME}/security_test_user/apps_rw/*
/usr/bin/cynara-test
/usr/bin/ckm-tests
/usr/bin/ckm-integration-tests
#ifndef DPL_TEST_RUNNER_H
#define DPL_TEST_RUNNER_H
+#include <cerrno>
#include <chrono>
#include <cstdlib>
#include <cstring>
-# Copyright (c) 2014-2015 Samsung Electronics Co., Ltd All Rights Reserved
+# Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_commons.cpp
${PROJECT_SOURCE_DIR}/src/cynara-tests/common/cynara_test_file_operations.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases.cpp
+ ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_app_defined_privilege.cpp
+ ${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_app_policy.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_credentials.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_dyntransition.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/test_cases_nss.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/app_files/
DESTINATION ${GLOBAL_APP_DIR}
)
+
+INSTALL(DIRECTORY
+ ${PROJECT_SOURCE_DIR}/src/security-manager-tests/app_files/
+ DESTINATION ${LOCAL_APP_DIR}
+)
\ No newline at end of file
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICgjCCAesCCQDxfX3d8avYqTANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
+UEwxETAPBgNVBAcMCFdhcnN6YXdhMRUwEwYDVQQKDAxBQkMgU29mdHdhcmUxIzAh
+BgNVBAMMGmFwcF9kZWZfcHJvdmlkZXJfMDFfcGtnX2lkMScwJQYJKoZIhvcNAQkB
+FhhkZXZlbG9wZXJAYWJjc29mdHdhcmUucGwwHhcNMTcwNjE2MTM0ODQ5WhcNMjcw
+NjE0MTM0ODQ5WjCBhDELMAkGA1UEBhMCUEwxETAPBgNVBAcMCFdhcnN6YXdhMRUw
+EwYDVQQKDAxTb2Z0d2FyZU1pbmQxITAfBgNVBAMMGGFwcF9kZWZfY2xpZW50XzAx
+X3BrZ19pZDEoMCYGCSqGSIb3DQEJARYZZGV2ZWxvcGVyQHNvZnR3YXJlbWluZC5w
+bDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7CasEbnPHmwH3NziitfV8Bym
+AbkJAA2QSYZx5+7ZIRjKT96Ic8E/knAqhImwYAje2eTkmwZF/I9eW+kB/LhZ0+G9
+1FBJa5Rd+JzxHl8xti4bbPRDWrHTcVBv9wYA3Z1Gw0ZpM0I4cw1vR1hF91uZnmyn
+vrPMJQZoi1wTutuTmc8CAwEAATANBgkqhkiG9w0BAQsFAAOBgQCe2CawuDMwrfVt
+ls0+oOWOah7gv5jT/W/hVYBP2mkDrfkue4o1smzOtYAPzRVJowRvv744U57i8gZF
+VXsnHmgvs1WctIo8uLEbT34ByC/5ZBrxPlBNYVvbI3c0wMyzuMl3IcUUITVZDjnA
+URpaTvbfzPaMWa707OIodz023NVsqw==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIC2jCCAkOgAwIBAgIJAPhC7Hq3hyJOMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
+VQQGEwJQTDERMA8GA1UEBwwIV2Fyc3phd2ExFTATBgNVBAoMDEFCQyBTb2Z0d2Fy
+ZTEjMCEGA1UEAwwaYXBwX2RlZl9wcm92aWRlcl8wMV9wa2dfaWQxJzAlBgkqhkiG
+9w0BCQEWGGRldmVsb3BlckBhYmNzb2Z0d2FyZS5wbDAeFw0xNzA2MTYxMzQzNDBa
+Fw0yNzA2MTQxMzQzNDBaMIGFMQswCQYDVQQGEwJQTDERMA8GA1UEBwwIV2Fyc3ph
+d2ExFTATBgNVBAoMDEFCQyBTb2Z0d2FyZTEjMCEGA1UEAwwaYXBwX2RlZl9wcm92
+aWRlcl8wMV9wa2dfaWQxJzAlBgkqhkiG9w0BCQEWGGRldmVsb3BlckBhYmNzb2Z0
+d2FyZS5wbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA1YYOkwVhNOmwSggB
+FQC9HlGKFyfP3iPWg0fgf4IXK3JTwJlL+vjBQW00HrnJKAB3jVZJTSeUbCgjOcro
+CoiOXwrNvyXPfP0Ie86ZD5pJa/NZrkI8K49tKzd3YKcAYfQeLueiMUfl9mUfae3C
+MgV8BN3vJKAcZ/uZBGHz1kBXI7ECAwEAAaNQME4wHQYDVR0OBBYEFBws5EM3Emqd
+/UDKqFt9QC3LZpw5MB8GA1UdIwQYMBaAFBws5EM3Emqd/UDKqFt9QC3LZpw5MAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEArVudtj73a7WT49IIMRqWNv6l
+uIK/9DTLUFNKEZWrxRC9keFKOVeOmrwdefKPkHqhVNad4p4sPB6V6w0ySezDbc/S
+9xNRDlJxGzFZG/rc9amjlxiZ7NP95RhAY+8YoAMaAVhFYA7vlRADeGr3HVhmgHKn
+yVnwuKl0fM000vcjCYo=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIC2jCCAkOgAwIBAgIJAN81DP/b09DiMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
+VQQGEwJQTDERMA8GA1UEBwwIV2Fyc3phd2ExFTATBgNVBAoMDFhZWiBTb2Z0d2Fy
+ZTEjMCEGA1UEAwwaYXBwX2RlZl9wcm92aWRlcl8wMV9wa2dfaWQxJzAlBgkqhkiG
+9w0BCQEWGGRldmVsb3BlckB4eXpzb2Z0d2FyZS5wbDAeFw0xNzA2MTYxMzQ0Mzha
+Fw0yNzA2MTQxMzQ0MzhaMIGFMQswCQYDVQQGEwJQTDERMA8GA1UEBwwIV2Fyc3ph
+d2ExFTATBgNVBAoMDFhZWiBTb2Z0d2FyZTEjMCEGA1UEAwwaYXBwX2RlZl9wcm92
+aWRlcl8wMV9wa2dfaWQxJzAlBgkqhkiG9w0BCQEWGGRldmVsb3BlckB4eXpzb2Z0
+d2FyZS5wbDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu7vI/F81XlyIZ1TA
+gSKScm1wLKFu20EHKb3CPdP85TlysqAL8azNM21NPbtNVH2EvT4aBFwJBAtH6Yna
+M2w7bmf4u0aevX6CQSr0470bBL7WMFaOmR1HsN+oBcxo0JZc9zZ+pmPCzMkGENPG
+vK6WWMhd38G/Os1OYCJhfVCqC9MCAwEAAaNQME4wHQYDVR0OBBYEFC4z5C8psJfV
+e5ltZtXpjLxmfq6hMB8GA1UdIwQYMBaAFC4z5C8psJfVe5ltZtXpjLxmfq6hMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAggzGilI7ibnN2AxoYUZm5Kau
+D1mR7W0AHWFnOuqh/gWssfc9OvYEiSU5QlwF0k27siYyXlhWbd5kC1XN6wn2XULu
+kcxeMkqn4RuUCCmjR6Cvsh+JRXfK/6v9lmRJHy5xSAZZRHEBUCduFCeO/RYjRC1j
+SujDasFw3PDyhuueTPI=
+-----END CERTIFICATE-----
--- /dev/null
+/*
+ * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#pragma once
+
+#include <string>
+#include <utility>
+#include <vector>
+#include <tuple>
+
+#include <security-manager-types.h>
+#include <dpl/test/test_runner.h>
+
+class Privilege {
+public:
+ enum Type {
+ UNSET,
+ UNTRUSTED,
+ LICENSED,
+ };
+
+ Privilege(std::string systemPrivilege, Type type = UNSET, std::string license = std::string())
+ : m_name(std::move(systemPrivilege))
+ , m_type(type)
+ , m_license(std::move(license))
+ {}
+
+ Privilege(std::string licensedPrivilege, std::string license)
+ : m_name(std::move(licensedPrivilege))
+ , m_type(LICENSED)
+ , m_license(std::move(license))
+ {}
+
+ bool isUnset() const { return m_type == UNSET; }
+ bool isUntrusted() const { return m_type == UNTRUSTED; }
+ bool isLicensed() const { return m_type == LICENSED; }
+
+ int getType() const { return m_type; }
+ app_defined_privilege_type getSMType () const {
+ RUNNER_ASSERT(m_type != UNSET);
+ if (isLicensed()) return SM_APP_DEFINED_PRIVILEGE_TYPE_LICENSED;
+ return SM_APP_DEFINED_PRIVILEGE_TYPE_UNTRUSTED;
+ }
+
+ const std::string& getName() const { return m_name; }
+ const std::string& getLicense() const { return m_license; }
+
+ const char *getNameC() const { return m_name.c_str(); }
+ const char *getLicenseC() const { return m_license.c_str(); }
+
+ operator const char *() const { return m_name.c_str(); }
+
+ operator std::string() const { return m_name; }
+
+private:
+ std::string m_name;
+ Type m_type;
+ std::string m_license;
+};
+
+typedef std::vector<Privilege> PrivilegeVector;
+
/*
- * Copyright (c) 2014-2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
m_isLocal(other.m_isLocal), m_uidGid(other.m_uidGid),
m_version(std::move(other.m_version)), m_installType(other.m_installType),
m_isHybrid(other.m_isHybrid), m_installDir(std::move(other.m_installDir)),
- m_dirTypeMap(std::move(other.m_dirTypeMap)), m_fileTypeMap(std::move(other.m_fileTypeMap)),
- m_privileges(std::move(other.m_privileges)), m_author(std::move(other.m_author)),
+ m_dirTypeMap(std::move(other.m_dirTypeMap)),
+ m_fileTypeMap(std::move(other.m_fileTypeMap)),
+ m_privileges(std::move(other.m_privileges)),
+ m_appDefinedPrivileges(std::move(other.m_appDefinedPrivileges)),
+ m_author(std::move(other.m_author)),
m_creatorPid(other.m_creatorPid)
{
other.m_creatorPid = -1;
return m_isHybrid;
}
-void AppInstallHelper::addPrivilege(const std::string &privilege) {
- m_privileges.push_back(privilege);
+void AppInstallHelper::addPrivileges(const std::vector<std::string> &privileges) {
+ for (auto &p : privileges) {
+ addPrivilege(Privilege(p));
+ }
}
-void AppInstallHelper::addPrivileges(const std::vector<std::string> &privileges) {
+std::vector<std::string> AppInstallHelper::getPrivilegesNames() const {
+ std::vector<std::string> privileges;
+ for (auto &p : m_privileges) {
+ privileges.push_back(p.getName());
+ }
+ return privileges;
+}
+
+void AppInstallHelper::addPrivilege(Privilege privilege) {
+ m_privileges.push_back(std::move(privilege));
+}
+
+void AppInstallHelper::addPrivileges(const PrivilegeVector &privileges) {
std::copy(privileges.begin(), privileges.end(), std::back_inserter(m_privileges));
}
-std::vector<std::string> AppInstallHelper::getPrivileges() const {
+const PrivilegeVector& AppInstallHelper::getPrivileges() const {
return m_privileges;
}
+void AppInstallHelper::addAppDefinedPrivilege(Privilege privilege) {
+ m_appDefinedPrivileges.push_back(std::move(privilege));
+}
+
+const PrivilegeVector& AppInstallHelper::getAppDefinedPrivileges() const {
+ return m_appDefinedPrivileges;
+}
+
void AppInstallHelper::revokeRules() const {
RUNNER_ASSERT_MSG(
0 == smack_revoke_subject(generateAppLabel().c_str()),
/*
- * Copyright (c) 2014-2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <fcntl.h>
#include <functional>
+#include <sys/types.h>
+#include <unistd.h>
+
#include <map>
#include <string>
-#include <sys/types.h>
+#include <utility>
#include <vector>
-#include <unistd.h>
#include <security-manager-types.h>
+#include <app_def_privilege.h>
struct AppInstallHelper {
const TypePathsMap& getFilesMap() const;
// Privileges
- void addPrivilege(const std::string &privilege);
- void addPrivileges(const std::vector<std::string> &privileges);
- std::vector<std::string> getPrivileges() const;
+ std::vector<std::string> getPrivilegesNames() const; // deprecated
+ void addPrivileges(const std::vector<std::string> &privileges); // deprecated
+ void addPrivilege(Privilege privilege);
+ void addPrivileges(const PrivilegeVector &privileges);
+ const PrivilegeVector& getPrivileges() const;
+
+ void addAppDefinedPrivilege(Privilege privilege);
+ const PrivilegeVector& getAppDefinedPrivileges() const;
// Smack
std::string generateAppLabel() const;
bool m_isInstallDirCreated;
TypePathsMap m_dirTypeMap;
TypePathsMap m_fileTypeMap;
- std::vector<std::string> m_privileges;
+ PrivilegeVector m_privileges;
+ PrivilegeVector m_appDefinedPrivileges;
std::string m_author;
pid_t m_creatorPid;
/*
- * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2016-2017 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
for (const auto& typePaths : app.getFilesMap())
for (const auto& path : typePaths.second)
instReq.addPath(path, typePaths.first);
- for (const auto &priv : app.getPrivileges()) {
- instReq.addPrivilege(priv.c_str());
- }
+ for (const auto &priv : app.getPrivileges())
+ instReq.addPrivilege(priv);
+ for (const auto &priv : app.getAppDefinedPrivileges())
+ instReq.addAppDefinedPrivilege(priv);
+
SecurityManagerTest::Api::install(instReq);
}
<< " Expected result: " << expectedResult);
}
-void getSecurityManagerGroups(char ***groups, size_t *groups_count, lib_retcode expectedResult)
+void getSecurityManagerGroups(gid_t **groups, size_t *groups_count, lib_retcode expectedResult)
{
int result = security_manager_groups_get(groups, groups_count);
RUNNER_ASSERT_MSG(static_cast<lib_retcode>(result) == expectedResult,
void getPkgIdByPid(pid_t pid, std::string *pkgId, std::string *appId, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
void getPkgIdByCynaraClient(const std::string &client, std::string *pkgId, std::string *appId, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
void appHasPrivilege(const std::string &appId, const std::string &privilege, uid_t user, int &value, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
-void getSecurityManagerGroups(char ***groups, size_t *groups_count, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
+void getSecurityManagerGroups(gid_t **groups, size_t *groups_count, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
void registerPaths(const PathsRequest& req, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
void labelsMonitorGetFd(const LabelMonitor &monitor, int *fd, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
void labelsProcess(const LabelMonitor &monitor, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
/*
- * Copyright (c) 2014-2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
m_pkgId = std::move(pkgId);
}
-void InstallRequest::addPrivilege(const std::string &privilege, lib_retcode expectedResult)
+void InstallRequest::addPrivilege(Privilege privilege, lib_retcode expectedResult)
{
- int result = security_manager_app_inst_req_add_privilege(m_req, privilege.c_str());
+ int result = security_manager_app_inst_req_add_client_privilege(m_req,
+ privilege,
+ privilege.getLicenseC());
RUNNER_ASSERT_MSG((lib_retcode)result == expectedResult,
"adding privilege returned wrong value."
- << " Privilege: " << privilege << ";"
+ << " Privilege: " << privilege.getName() << ";"
<< " Result: " << result << ";"
<< " Expected result: " << expectedResult);
- m_privileges.push_back(privilege);
+ m_privileges.push_back(std::move(privilege));
+}
+
+void InstallRequest::addAppDefinedPrivilege(Privilege privilege, lib_retcode expectedResult)
+{
+ int result = security_manager_app_inst_req_add_app_defined_privilege(
+ m_req,
+ privilege,
+ privilege.getSMType(),
+ privilege.getLicenseC());
+
+ RUNNER_ASSERT_MSG((lib_retcode)result == expectedResult,
+ "adding app defined privilege returned wrong value."
+ << " Privilege: " << privilege.getName() << ";"
+ << " Result: " << result << ";"
+ << " Expected result: " << expectedResult);
+ m_appDefinedPrivileges.push_back(std::move(privilege));
}
void InstallRequest::addPath(std::string path, app_install_path_type pathType, lib_retcode expectedResult)
if (!request.m_pkgId.empty())
os << "pkg id: " << request.m_pkgId << "; ";
if (!request.m_privileges.empty()) {
- os << "privileges: [ " << request.m_privileges[0];
- for (size_t i=1; i < request.m_privileges.size(); ++i) {
- os << "; " << request.m_privileges[i];
+ os << "privileges: [ " << "< " << request.m_privileges[0].getName() << "; "
+ << request.m_privileges[0].getLicense() << " >";
+ for (size_t i = 1; i < request.m_privileges.size(); ++i) {
+ os << "; <" << request.m_privileges[i].getName() << "; "
+ << request.m_privileges[i].getLicense() << " >";
+ }
+ os << " ]";
+ }
+ if (!request.m_appDefinedPrivileges.empty()) {
+ os << "app defined privileges: [ " << "< "
+ << request.m_appDefinedPrivileges[0].getName() << "; "
+ << request.m_appDefinedPrivileges[0].getType() << "; "
+ << request.m_appDefinedPrivileges[0].getLicense() << " >";
+
+ for (size_t i = 1; i < request.m_appDefinedPrivileges.size(); ++i) {
+ os << "; <" << request.m_appDefinedPrivileges[i].getName() << "; "
+ << request.m_appDefinedPrivileges[i].getType() << "; "
+ << request.m_appDefinedPrivileges[i].getLicense() << " >";
}
os << " ]";
}
+
if (!request.m_paths.empty()) {
os << "paths: [ " << "< " << request.m_paths[0].first << "; "
<< request.m_paths[0].second << " >";
/*
- * Copyright (c) 2014-2016 Samsung Electronics Co., Ltd All Rights Reserved
+ * Copyright (c) 2014-2017 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
#include <vector>
#include <security-manager.h>
+#include <app_def_privilege.h>
namespace SecurityManagerTest {
class InstallRequest;
lib_retcode expectedresult = SECURITY_MANAGER_SUCCESS);
void setAppId(std::string appId, lib_retcode expectedresult = SECURITY_MANAGER_SUCCESS);
void setPkgId(std::string pkgId, lib_retcode expectedresult = SECURITY_MANAGER_SUCCESS);
- void addPrivilege(const std::string &privilege, lib_retcode expectedresult = SECURITY_MANAGER_SUCCESS);
+ void addPrivilege(Privilege privilege, lib_retcode expectedresult = SECURITY_MANAGER_SUCCESS);
+ void addAppDefinedPrivilege(Privilege privilege, lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
void addPath(std::string path, app_install_path_type pathType,
lib_retcode expectedResult = SECURITY_MANAGER_SUCCESS);
void setUid(const uid_t uid, lib_retcode expectedresult = SECURITY_MANAGER_SUCCESS);
std::string m_appId;
std::string m_pkgId;
std::string m_authorId;
- std::vector<std::string> m_privileges;
+ PrivilegeVector m_privileges;
+ PrivilegeVector m_appDefinedPrivileges;
std::vector<std::pair<std::string, app_install_path_type> > m_paths;
std::pair<bool, uid_t> m_uid;
};
ScopedInstaller appInstall(app);
check_app_after_install(app.getAppId(), app.getPkgId(),
- app.getPrivileges(), someDeniedPrivs);
+ app.getPrivilegesNames(), someDeniedPrivs);
check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
}
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivileges());
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivilegesNames());
}
RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
{
// FIXME - whitebox - cynara
const char *const MAIN_BUCKET = "MAIN";
- const char *const MANIFESTS_BUCKET = "MANIFESTS";
+ const char *const MANIFESTS_GLOBAL_BUCKET = "MANIFESTS_GLOBAL";
+ const char *const MANIFESTS_LOCAL_BUCKET = "MANIFESTS_LOCAL";
const char *const ADMIN_BUCKET = "ADMIN";
const char *const USER_TYPE_NORMAL_BUCKET = "USER_TYPE_NORMAL";
CynaraTestAdmin::Admin admin;
CynaraTestAdmin::CynaraPoliciesContainer emptyContainer;
admin.listPolicies(MAIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
- admin.listPolicies(MANIFESTS_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(MANIFESTS_GLOBAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
+ admin.listPolicies(MANIFESTS_LOCAL_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
admin.listPolicies(CYNARA_ADMIN_DEFAULT_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
}
RUNNER_TEST(security_manager_24_groups_get)
{
PolicyConfiguration pc;
- char ** c_groups;
+ gid_t * c_groups;
size_t count = 0;
Api::getSecurityManagerGroups(&c_groups, &count);
- std::unique_ptr<char *, std::function<void(char **)>> groupsPtr(c_groups, [count] (char ** groups) {
- security_manager_groups_free(groups, count);
- });
+ std::unique_ptr<gid_t, decltype(free)*> groupsPtr(c_groups, free);
- auto policyGroups = pc.getGroup();
+ auto policyGroups = pc.getGid();
RUNNER_ASSERT_MSG(count == policyGroups.size(), "security_manager_groups_get should set count to: "
<< policyGroups.size() << " but count is: " << count);
--- /dev/null
+/*
+ * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <functional>
+#include <string>
+#include <sys/types.h>
+#include <sys/un.h>
+#include <unistd.h>
+
+#include <cynara_test_client.h>
+#include <dpl/test/test_runner.h>
+#include <sm_api.h>
+#include <sm_commons.h>
+#include <sm_request.h>
+#include <tests_common.h>
+#include <tzplatform.h>
+#include <app_install_helper.h>
+#include <scoped_installer.h>
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_APP_DEFINED_PRIVILEGE)
+
+using namespace SecurityManagerTest;
+
+RUNNER_CHILD_TEST(app_defined_01_global_install_untrusted)
+{
+ const Privilege privilege(
+ "http://tizen.org/untrusted/devstudio/statistic",
+ Privilege::UNTRUSTED);
+ const std::string providerAppId = "app_def_01_provider";
+ const std::string clientAppId = "app_def_01_client";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M3S3SSI0N";
+
+ AppInstallHelper provider(providerAppId);
+ AppInstallHelper client(clientAppId);
+
+ std::string clientLabel = client.generateAppLabel();
+
+ provider.addAppDefinedPrivilege(privilege);
+ client.addPrivilege(privilege);
+
+ ScopedInstaller req1(provider);
+ ScopedInstaller req2(client);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(clientLabel, session, ownerId, privilege, CYNARA_API_ACCESS_ALLOWED);
+
+ // uninstall provider
+ req1.uninstallApp();
+
+ cynara.check(clientLabel, session, ownerId, privilege, CYNARA_API_ACCESS_DENIED);
+}
+
+RUNNER_CHILD_TEST(app_defined_02_global_install_licensed)
+{
+ const Privilege providerPrivilegeLicense(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/globalapps/app_def_provider_01_pkg_id/cert/abcsoftware.pem");
+ const Privilege clientPrivilegeLicense(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/globalapps/app_def_client_01_pkg_id/cert/softwaremind.pem");
+ const std::string providerAppId = "app_def_provider_01";
+ const std::string clientAppId = "app_def_client_01";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper provider(providerAppId);
+ AppInstallHelper client(clientAppId);
+
+ std::string clientLabel = client.generateAppLabel();
+
+ provider.addAppDefinedPrivilege(providerPrivilegeLicense);
+ client.addPrivilege(clientPrivilegeLicense);
+
+ ScopedInstaller req1(provider);
+ ScopedInstaller req2(client);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(clientLabel, session, ownerId, clientPrivilegeLicense, CYNARA_API_ACCESS_ALLOWED);
+
+ // uninstall provider
+ req1.uninstallApp();
+
+ cynara.check(clientLabel, session, ownerId, clientPrivilegeLicense, CYNARA_API_ACCESS_DENIED);
+}
+
+RUNNER_CHILD_TEST(app_defined_03_database_update)
+{
+ const Privilege privilegeA(
+ "http://tizen.org/untrusted/devstudio/statistic", Privilege::UNTRUSTED);
+ const Privilege privilegeB(
+ "http://tizen.org/untrusted/gamestudio/football", Privilege::UNTRUSTED);
+
+ const std::string providerAppIdA = "app_def_provider_01";
+ const std::string providerAppIdB = "app_def_provider_02";
+ const std::string clientAppId = "app_def_client_01";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper providerA(providerAppIdA);
+ AppInstallHelper providerB(providerAppIdB);
+ AppInstallHelper client(clientAppId);
+ client.setHybrid();
+ std::string clientLabel = client.generateAppLabel();
+
+ providerA.addAppDefinedPrivilege(privilegeA);
+ providerB.addAppDefinedPrivilege(privilegeB);
+ client.addPrivilege(privilegeA);
+ client.addPrivilege(privilegeB);
+
+ ScopedInstaller req1(providerA);
+ ScopedInstaller req2(providerB);
+ ScopedInstaller req3(client);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(clientLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+
+ // uninstall providerA
+ req1.uninstallApp();
+
+ cynara.check(clientLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+
+ // uninstall providerB
+ req2.uninstallApp();
+
+ cynara.check(clientLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_DENIED);
+}
+
+RUNNER_CHILD_TEST(app_defined_04_app_update)
+{
+ const Privilege providerPrivilegeLicenseA(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/globalapps/app_def_provider_01_pkg_id/cert/abcsoftware.pem");
+ const Privilege clientPrivilegeLicenseA(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/globalapps/app_def_client_01_pkg_id/cert/softwaremind.pem");
+ const Privilege privilegeB(
+ "http://tizen.org/untrusted/devstudio/statistic",
+ Privilege::UNTRUSTED);
+ const Privilege providerPrivilegeLicenseC(
+ "http://tizen.org/licensed/xyzsoftware/camera",
+ "/opt/usr/globalapps/app_def_provider_01_pkg_id/cert/xyzsoftware.der");
+ const Privilege clientPrivilegeLicenseC(
+ "http://tizen.org/licensed/xyzsoftware/camera",
+ "/opt/usr/globalapps/app_def_client_01_pkg_id/cert/futuremind.der");
+
+ const std::string providerAppId = "app_def_provider_01";
+ const std::string clientAppId = "app_def_client_01";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper providerV1(providerAppId);
+ AppInstallHelper providerV2(providerAppId);
+ AppInstallHelper client(clientAppId);
+
+ std::string clientLabel = client.generateAppLabel();
+
+ providerV1.addAppDefinedPrivilege(providerPrivilegeLicenseA);
+ providerV1.addAppDefinedPrivilege(privilegeB);
+ client.addPrivilege(clientPrivilegeLicenseA);
+ client.addPrivilege(privilegeB);
+ client.addPrivilege(clientPrivilegeLicenseC);
+
+ ScopedInstaller req1(providerV1);
+ ScopedInstaller req2(client);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(clientLabel, session, ownerId, clientPrivilegeLicenseA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientLabel, session, ownerId, clientPrivilegeLicenseC, CYNARA_API_ACCESS_DENIED);
+
+ // update provider version, remove privilegeA, add privilegeC
+ providerV2.addAppDefinedPrivilege(privilegeB);
+ providerV2.addAppDefinedPrivilege(providerPrivilegeLicenseC);
+
+ ScopedInstaller req3(providerV2);
+
+ cynara.check(clientLabel, session, ownerId, clientPrivilegeLicenseA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientLabel, session, ownerId, privilegeB, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientLabel, session, ownerId, clientPrivilegeLicenseC, CYNARA_API_ACCESS_ALLOWED);
+}
+
+RUNNER_CHILD_TEST(app_defined_05_global_local_install)
+{
+ const Privilege privilegeA(
+ "http://tizen.org/untrusted/devstudio/statistic",
+ Privilege::UNTRUSTED);
+ const Privilege providerLocalPrivilegeLicenseB(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/home/security_test_user/apps_rw/app_def_provider_01_pkg_id/cert/abcsoftware.pem");
+ const Privilege clientGlobalPrivilegeLicenseB(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/globalapps/app_def_client_01_pkg_id/cert/softwaremind.pem");
+ const Privilege clientLocalPrivilegeLicenseB(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/home/security_test_user/apps_rw/app_def_client_01_pkg_id/cert/softwaremind.pem");
+ const Privilege privilegeC(
+ "http://tizen.org/untrusted/gamestudio/football",
+ Privilege::UNTRUSTED);
+
+ const std::string providerAppId = "app_def_provider_01";
+ const std::string clientAppId = "app_def_client_01";
+ const std::string ownerId = "5001";
+ const std::string bobId = "5002";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper providerGlobal(providerAppId);
+ AppInstallHelper providerLocal(providerAppId, 5002);
+ AppInstallHelper clientGlobal(clientAppId);
+ AppInstallHelper clientLocal(clientAppId, 5002);
+
+ std::string clientGlobalLabel = clientGlobal.generateAppLabel();
+ std::string clientLocalLabel = clientLocal.generateAppLabel();
+
+ providerGlobal.addAppDefinedPrivilege(privilegeA);
+ providerGlobal.addAppDefinedPrivilege(privilegeC);
+ providerLocal.addAppDefinedPrivilege(privilegeA);
+ providerLocal.addAppDefinedPrivilege(providerLocalPrivilegeLicenseB);
+
+ clientGlobal.addPrivilege(privilegeA);
+ clientGlobal.addPrivilege(clientGlobalPrivilegeLicenseB);
+ clientGlobal.addPrivilege(privilegeC);
+ clientLocal.addPrivilege(clientLocalPrivilegeLicenseB);
+ clientLocal.addPrivilege(privilegeC);
+
+ CynaraTestClient::Client cynara;
+
+ // local provider only and global consumer only
+ ScopedInstaller req1(providerLocal);
+ ScopedInstaller req2(clientGlobal);
+ cynara.check(clientGlobalLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientGlobalLabel, session, ownerId, clientGlobalPrivilegeLicenseB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientGlobalLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientGlobalLabel, session, bobId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientGlobalLabel, session, bobId, clientGlobalPrivilegeLicenseB, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientGlobalLabel, session, bobId, privilegeC, CYNARA_API_ACCESS_DENIED);
+
+ // local provider only and global/local consumer
+ ScopedInstaller req3(clientLocal);
+ cynara.check(clientLocalLabel, session, bobId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientLocalLabel, session, bobId, clientLocalPrivilegeLicenseB, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientLocalLabel, session, bobId, privilegeC, CYNARA_API_ACCESS_DENIED);
+
+ // global/local provider and global/local consumer
+ ScopedInstaller req4(providerGlobal);
+ cynara.check(clientGlobalLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientGlobalLabel, session, ownerId, clientGlobalPrivilegeLicenseB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientGlobalLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientLocalLabel, session, bobId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientLocalLabel, session, bobId, clientLocalPrivilegeLicenseB, CYNARA_API_ACCESS_ALLOWED);
+ //cynara.check(clientLocalLabel, session, bobId, privilegeC, CYNARA_API_ACCESS_DENIED);
+
+ // global provider only and global/local consumer
+ req1.uninstallApp();
+ cynara.check(clientGlobalLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientGlobalLabel, session, ownerId, clientGlobalPrivilegeLicenseB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientGlobalLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientLocalLabel, session, bobId, privilegeA, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientLocalLabel, session, bobId, clientLocalPrivilegeLicenseB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientLocalLabel, session, bobId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+
+ // global provider only and global consumer only
+ req3.uninstallApp();
+ cynara.check(clientGlobalLabel, session, ownerId, privilegeA, CYNARA_API_ACCESS_ALLOWED);
+ cynara.check(clientGlobalLabel, session, ownerId, clientGlobalPrivilegeLicenseB, CYNARA_API_ACCESS_DENIED);
+ cynara.check(clientGlobalLabel, session, ownerId, privilegeC, CYNARA_API_ACCESS_ALLOWED);
+}
+
+RUNNER_CHILD_TEST(app_defined_06_get_provider)
+{
+ int result;
+ char *pkgId = nullptr;
+ char *appId = nullptr;
+ const Privilege privilegeA(
+ "http://tizen.org/untrusted/devstudio/statistic",
+ Privilege::UNTRUSTED);
+ const Privilege privilegeB(
+ "http://tizen.org/untrusted/gamestudio/running",
+ Privilege::UNTRUSTED);
+ const std::string providerAppId = "app_def_06_provider";
+ uid_t uid = 5001;
+
+ AppInstallHelper providerGlobal(providerAppId);
+ AppInstallHelper providerLocal(providerAppId, uid);
+ providerGlobal.addAppDefinedPrivilege(privilegeB);
+ providerLocal.addAppDefinedPrivilege(privilegeA);
+ ScopedInstaller req1(providerGlobal);
+ ScopedInstaller req2(providerLocal);
+
+ result = security_manager_get_app_defined_privilege_provider("noExistingPrivilege",
+ uid, &pkgId, &appId);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(appId == nullptr);
+ RUNNER_ASSERT(pkgId == nullptr);
+
+ result = security_manager_get_app_defined_privilege_provider(privilegeA,
+ uid+1, &pkgId, &appId);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(appId == nullptr);
+ RUNNER_ASSERT(pkgId == nullptr);
+
+ result = security_manager_get_app_defined_privilege_provider(privilegeA,
+ uid, nullptr, nullptr);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_INPUT_PARAM);
+
+ result = security_manager_get_app_defined_privilege_provider(privilegeA,
+ uid, &pkgId, nullptr);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider failed");
+ RUNNER_ASSERT(pkgId && std::string(pkgId) == providerLocal.getPkgId());
+ free(pkgId);
+ pkgId = nullptr;
+
+ result = security_manager_get_app_defined_privilege_provider(privilegeA,
+ uid, nullptr, &appId);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider failed");
+ RUNNER_ASSERT(appId && std::string(appId) == providerLocal.getAppId());
+ free(appId);
+ appId = nullptr;
+
+ result = security_manager_get_app_defined_privilege_provider(privilegeA,
+ uid, &pkgId, &appId);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider failed");
+ RUNNER_ASSERT(appId && std::string(appId) == providerLocal.getAppId());
+ RUNNER_ASSERT(pkgId && std::string(pkgId) == providerLocal.getPkgId());
+ free(appId);
+ free(pkgId);
+ appId = nullptr;
+ pkgId = nullptr;
+
+ result = security_manager_get_app_defined_privilege_provider(privilegeB,
+ uid, &pkgId, &appId);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT,
+ "Local installation of application should 'hide' this privilege. Provider should not be found.");
+ RUNNER_ASSERT(appId == nullptr);
+ RUNNER_ASSERT(pkgId == nullptr);
+}
+
+RUNNER_CHILD_TEST(app_defined_07_get_provider_license)
+{
+ int result;
+ char *license = nullptr;
+ const Privilege providerLocalPrivilegeLicenseA(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/home/security_test_user/apps_rw/app_def_provider_01_pkg_id/cert/abcsoftware.pem");
+ const Privilege providerGlobalPrivilegeLicenseB(
+ "http://tizen.org/licensed/xyzsoftware/camera",
+ "/opt/usr/globalapps/app_def_provider_01_pkg_id/cert/xyzsoftware.der");
+ const Privilege privilegeBuntrusted(
+ providerGlobalPrivilegeLicenseB.getName(), Privilege::UNTRUSTED);
+
+ const std::string providerAppId = "app_def_provider_01";
+ uid_t uid = 5002;
+
+ AppInstallHelper providerGlobal(providerAppId);
+ AppInstallHelper providerLocal(providerAppId, uid);
+ providerGlobal.addAppDefinedPrivilege(providerGlobalPrivilegeLicenseB);
+ providerLocal.addAppDefinedPrivilege(providerLocalPrivilegeLicenseA);
+ providerLocal.addAppDefinedPrivilege(privilegeBuntrusted);
+
+ ScopedInstaller req1(providerGlobal);
+ ScopedInstaller req2(providerLocal);
+
+ result = security_manager_get_app_defined_privilege_license(nullptr, uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_app_defined_privilege_license(providerLocalPrivilegeLicenseA, uid, nullptr);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_INPUT_PARAM);
+
+ result = security_manager_get_app_defined_privilege_license("noExistingPrivilege", uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_app_defined_privilege_license(privilegeBuntrusted, uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_app_defined_privilege_license(providerLocalPrivilegeLicenseA, uid+1, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_app_defined_privilege_license(providerLocalPrivilegeLicenseA, uid, &license);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider license failed");
+ RUNNER_ASSERT(license && providerLocalPrivilegeLicenseA.getLicense() == license);
+ free(license);
+ license = nullptr;
+
+ req2.uninstallApp();
+ result = security_manager_get_app_defined_privilege_license(providerGlobalPrivilegeLicenseB, uid, &license);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege provider license failed");
+ RUNNER_ASSERT(license && providerGlobalPrivilegeLicenseB.getLicense() == license);
+ free(license);
+ license = nullptr;
+}
+
+RUNNER_CHILD_TEST(app_defined_08_add_get_license_with_untrusted_priv)
+{
+ int result;
+ char *license = nullptr;
+ char *appId = nullptr;
+ char *pkgId = nullptr;
+
+ const Privilege privilegeUntrusted(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ Privilege::UNTRUSTED);
+
+ const std::string providerAppId = "app_def_provider_07";
+ const std::string clientAppId = "app_def_client_07";
+ uid_t uid = 5002;
+
+ AppInstallHelper providerGlobal(providerAppId);
+ providerGlobal.addAppDefinedPrivilege(privilegeUntrusted);
+
+ AppInstallHelper clientLocal(clientAppId, uid);
+ clientLocal.addPrivilege(privilegeUntrusted);
+
+ ScopedInstaller req1(providerGlobal);
+ ScopedInstaller req2(clientLocal);
+
+ result = security_manager_get_client_privilege_license(privilegeUntrusted,
+ clientLocal.getPkgId().c_str(),
+ clientLocal.getAppId().c_str(),
+ uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_app_defined_privilege_license(privilegeUntrusted, uid, &license);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "getting privilege provider license failed");
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_app_defined_privilege_provider(privilegeUntrusted,
+ uid, &pkgId, &appId);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_SUCCESS);
+ RUNNER_ASSERT(appId != nullptr && providerGlobal.getAppId() == appId);
+ RUNNER_ASSERT(pkgId != nullptr && providerGlobal.getPkgId() == pkgId);
+ free(appId);
+ free(pkgId);
+}
+
+RUNNER_CHILD_TEST(app_defined_09_add_get_client_license)
+{
+ int result;
+ char *license = nullptr;
+ const Privilege clientLocalPrivilegeLicenseA(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/home/security_test_user/apps_rw/app_def_client_01_pkg_id/cert/softwaremind.pem");
+ const Privilege clientGlobalPrivilegeLicenseB(
+ "http://tizen.org/licensed/xyzsoftware/camera",
+ "/opt/usr/globalapps/app_def_client_01_pkg_id/cert/futuremind.der");
+ const Privilege privilegeBuntrusted(
+ clientGlobalPrivilegeLicenseB.getName(), Privilege::UNTRUSTED);
+
+ const std::string clientAppId = "app_def_client_01";
+ uid_t uid = 5002;
+
+ AppInstallHelper clientGlobal(clientAppId);
+ AppInstallHelper clientLocal(clientAppId, uid);
+ clientGlobal.addPrivilege(clientGlobalPrivilegeLicenseB);
+ clientLocal.addPrivilege(clientLocalPrivilegeLicenseA);
+ clientLocal.addPrivilege(privilegeBuntrusted);
+ ScopedInstaller req1(clientGlobal);
+ ScopedInstaller req2(clientLocal);
+
+ result = security_manager_get_client_privilege_license(nullptr,
+ clientLocal.getPkgId().c_str(),
+ clientLocal.getAppId().c_str(),
+ uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_client_privilege_license(clientLocalPrivilegeLicenseA, nullptr, nullptr,
+ uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_client_privilege_license(clientLocalPrivilegeLicenseA,
+ clientLocal.getPkgId().c_str(),
+ clientLocal.getAppId().c_str(),
+ uid, nullptr);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_INPUT_PARAM);
+
+ result = security_manager_get_client_privilege_license("noExistingPrivilege",
+ clientLocal.getPkgId().c_str(),
+ clientLocal.getAppId().c_str(),
+ uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_client_privilege_license(clientLocalPrivilegeLicenseA, "noExistingPkg", "noExistingApp",
+ uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_client_privilege_license(privilegeBuntrusted,
+ clientLocal.getPkgId().c_str(),
+ clientLocal.getAppId().c_str(),
+ uid, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_client_privilege_license(clientLocalPrivilegeLicenseA,
+ clientLocal.getPkgId().c_str(),
+ clientLocal.getAppId().c_str(),
+ uid+1, &license);
+ RUNNER_ASSERT(result == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ RUNNER_ASSERT(license == nullptr);
+
+ result = security_manager_get_client_privilege_license(clientLocalPrivilegeLicenseA,
+ clientLocal.getPkgId().c_str(),
+ clientLocal.getAppId().c_str(),
+ uid, &license);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege license failed");
+ RUNNER_ASSERT(license && clientLocalPrivilegeLicenseA.getLicense() == license);
+ free(license);
+ license = nullptr;
+
+ req2.uninstallApp();
+ result = security_manager_get_client_privilege_license(clientGlobalPrivilegeLicenseB,
+ clientGlobal.getPkgId().c_str(),
+ clientGlobal.getAppId().c_str(),
+ uid, &license);
+ RUNNER_ASSERT_MSG(result == SECURITY_MANAGER_SUCCESS, "getting privilege license failed");
+ RUNNER_ASSERT(license && clientGlobalPrivilegeLicenseB.getLicense() == license);
+ free(license);
+ license = nullptr;
+}
+
+RUNNER_CHILD_TEST(app_defined_10_check_system_privileges)
+{
+ const std::string providerAppId = "app_def_09_provider";
+ const Privilege privilege("http://tizen.org/privilege/internet", Privilege::UNTRUSTED);
+
+ InstallRequest requestInst;
+ requestInst.setAppId(providerAppId);
+ requestInst.setPkgId(providerAppId);
+ requestInst.addAppDefinedPrivilege(privilege);
+ Api::install(requestInst, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ Api::uninstall(requestInst);
+}
+
+RUNNER_CHILD_TEST(app_defined_11_invalid_license)
+{
+ const Privilege providerPrivilegeLicense(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/globalapps/app_def_provider_01_pkg_id/cert/abcsoftware.pem");
+ const Privilege clientPrivilegeLicense(
+ "http://tizen.org/licensed/abcsoftware/calendar",
+ "/opt/usr/globalapps/app_def_client_01_pkg_id/cert/futuremind.der");
+ const std::string providerAppId = "app_def_provider_01";
+ const std::string clientAppId = "app_def_client_01";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper provider(providerAppId);
+ AppInstallHelper client(clientAppId);
+ client.setHybrid();
+ std::string clientLabel = client.generateAppLabel();
+
+ provider.addAppDefinedPrivilege(providerPrivilegeLicense);
+ client.addPrivilege(clientPrivilegeLicense);
+
+ ScopedInstaller req1(provider);
+ ScopedInstaller req2(client);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(clientLabel, session, ownerId, clientPrivilegeLicense, CYNARA_API_ACCESS_DENIED);
+}
+
+RUNNER_CHILD_TEST(app_defined_12_invalid_common_name)
+{
+ const Privilege providerPrivilegeLicense(
+ "http://tizen.org/licensed/xyzsoftware/camera",
+ "/opt/usr/globalapps/app_def_provider_02_pkg_id/cert/xyzsoftware.pem");
+ const Privilege clientPrivilegeLicense(
+ "http://tizen.org/licensed/xyzsoftware/camera",
+ "/opt/usr/globalapps/app_def_client_01_pkg_id/cert/futuremind.der");
+ const std::string providerAppId = "app_def_provider_02";
+ const std::string clientAppId = "app_def_client_01";
+ const std::string ownerId = "5001";
+ const std::string session = "S0M33S3SSI0N";
+
+ AppInstallHelper provider(providerAppId);
+ AppInstallHelper client(clientAppId);
+ client.setHybrid();
+ std::string clientLabel = client.generateAppLabel();
+
+ provider.addAppDefinedPrivilege(providerPrivilegeLicense);
+ client.addPrivilege(clientPrivilegeLicense);
+
+ ScopedInstaller req1(provider);
+ ScopedInstaller req2(client);
+
+ CynaraTestClient::Client cynara;
+ cynara.check(clientLabel, session, ownerId, clientPrivilegeLicense, CYNARA_API_ACCESS_DENIED);
+}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <string>
+#include <vector>
+
+#include <app_install_helper.h>
+#include <scoped_installer.h>
+#include <sm_api.h>
+#include <temp_test_user.h>
+#include <tests_common.h>
+
+#include <dpl/test/test_runner.h>
+#include <dpl/test/test_runner_child.h>
+
+const std::vector<std::string> TEST_PRIVACY_PRIVILEGES = {
+ "http://tizen.org/privilege/callhistory.read",
+ "http://tizen.org/privilege/account.read",
+ "http://tizen.org/privilege/healthinfo" };
+
+using namespace SecurityManagerTest;
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_APP_POLICY)
+
+RUNNER_CHILD_TEST(security_manager_ap1_app_policy_fetch_for_self) {
+ TemporaryTestUser tmpUser("sm_test_ap1_user_name", GUM_USERTYPE_NORMAL, false);
+ tmpUser.create();
+
+ unsigned expectedPolicyCount = 1;
+
+ AppInstallHelper app("sm_test_ap1", tmpUser.getUid());
+ app.addPrivileges(TEST_PRIVACY_PRIVILEGES);
+
+ ScopedInstaller appInstall(app);
+
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+ if (pid != 0) { //parent process
+ waitPid(pid);
+ } else { //child process
+ Api::setProcessLabel(app.getAppId());
+ RUNNER_ASSERT_ERRNO_MSG(
+ drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ std::string uidStr = tmpUser.getUidString();
+ for (const auto &appPrivilege : app.getPrivileges()) {
+ PolicyEntry filter(app.getAppId(), uidStr, appPrivilege);
+
+ std::vector<PolicyEntry> policyEntries;
+ Api::getPolicyForSelf(filter, policyEntries);
+
+ RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 1,
+ "Number of policies doesn't match - should be: " << expectedPolicyCount << " and is " << policyEntries.size());
+
+ for (const auto &policyEntry : policyEntries) {
+ std::string user = policyEntry.getUser();
+ std::string appId = policyEntry.getAppId();
+ std::string privilege = policyEntry.getPrivilege();
+
+ RUNNER_ASSERT_MSG(appId == app.getAppId(),
+ "Policy returned for wrong appId," " expected : " << app.getAppId() << ", got : " << appId);
+ RUNNER_ASSERT_MSG(user == uidStr,
+ "Policy returned for wrong user," " expected : " << uidStr << ", got : " << user);
+ RUNNER_ASSERT_MSG(privilege == appPrivilege.getName(),
+ "Policy returned for wrong privilege," " expected : " << appPrivilege << ", got : " << privilege);
+
+ }
+ }
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_ap2_app_policy_fetch_for_self_different_user) {
+ TemporaryTestUser tmpUser("sm_test_ap2_1_user_name", GUM_USERTYPE_NORMAL, false);
+ tmpUser.create();
+ TemporaryTestUser tmpUser2("sm_test_ap2_2_user_name", GUM_USERTYPE_NORMAL, false);
+ tmpUser2.create();
+
+ AppInstallHelper app("sm_test_ap2", tmpUser.getUid());
+ app.addPrivileges(TEST_PRIVACY_PRIVILEGES);
+
+ ScopedInstaller appInstall(app);
+
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+ if (pid != 0) { //parent process
+ waitPid(pid);
+ } else { //child process
+ Api::setProcessLabel(app.getAppId());
+ RUNNER_ASSERT_ERRNO_MSG(
+ drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ std::string wrongUidStr = tmpUser2.getUidString();
+ for (const auto &appPrivilege : app.getPrivileges()) {
+ PolicyEntry filter(app.getAppId(), wrongUidStr, appPrivilege);
+
+ std::vector<PolicyEntry> policyEntries;
+ Api::getPolicyForSelf(filter, policyEntries,
+ SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ }
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_user_global) {
+ TemporaryTestUser tmpUser("sm_test_ap3_1_user_name", GUM_USERTYPE_NORMAL, false);
+ tmpUser.create();
+ TemporaryTestUser tmpUser2("sm_test_ap3_2_user_name", GUM_USERTYPE_NORMAL, false);
+ tmpUser2.create();
+
+ AppInstallHelper app("sm_test_ap3");
+ app.setInstallType(SM_APP_INSTALL_GLOBAL);
+ app.addPrivileges(TEST_PRIVACY_PRIVILEGES);
+
+ ScopedInstaller appInstall(app);
+
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+ if (pid != 0) { //parent process
+ waitPid(pid);
+ } else { //child process
+ Api::setProcessLabel(app.getAppId());
+ RUNNER_ASSERT_ERRNO_MSG(
+ drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ std::string wrongUidStr = tmpUser2.getUidString();
+ for (const auto &appPrivilege : app.getPrivileges()) {
+ PolicyEntry filter(app.getAppId(), wrongUidStr, appPrivilege);
+
+ std::vector<PolicyEntry> policyEntries;
+ Api::getPolicyForSelf(filter, policyEntries,
+ SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ }
+ exit(0);
+ }
+}
+
+RUNNER_CHILD_TEST(security_manager_ap3_app_policy_fetch_for_self_different_app) {
+ TemporaryTestUser tmpUser("sm_test_ap3_user_name", GUM_USERTYPE_NORMAL, false);
+ tmpUser.create();
+
+ AppInstallHelper app1("sm_test_ap3_1", tmpUser.getUid());
+ app1.addPrivileges(TEST_PRIVACY_PRIVILEGES);
+
+ AppInstallHelper app2("sm_test_ap3_2", tmpUser.getUid());
+ app2.addPrivileges(TEST_PRIVACY_PRIVILEGES);
+
+ ScopedInstaller appInstall1(app1);
+ ScopedInstaller appInstall2(app2);
+
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid != -1, "Fork failed");
+ if (pid != 0) { //parent process
+ waitPid(pid);
+ } else { //child process
+ Api::setProcessLabel(app1.getAppId());
+ RUNNER_ASSERT_ERRNO_MSG(
+ drop_root_privileges(tmpUser.getUid(), tmpUser.getGid()) == 0,
+ "drop_root_privileges failed");
+
+ std::string uidStr = tmpUser.getUidString();
+ for (const auto &appPrivilege : app1.getPrivileges()) {
+ PolicyEntry filter(app2.getAppId(), uidStr, appPrivilege);
+
+ std::vector<PolicyEntry> policyEntries;
+ Api::getPolicyForSelf(filter, policyEntries,
+ SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ }
+ exit(0);
+ }
+}
}
};
-bool isPrivilegePrivacy(const std::string &priv) {
- return (1 == privilege_info_is_privacy(priv.c_str()));
+bool isPrivilegePrivacy(const Privilege &priv) {
+ return (1 == privilege_info_is_privacy(priv));
}
-int countPrivacyPrivileges(const Privileges &privs) {
+int countPrivacyPrivileges(const PrivilegeVector &privs) {
return std::count_if(privs.begin(), privs.end(), isPrivilegePrivacy);
}
RUNNER_ASSERT_MSG(appIt != appIdToAIH.end(), "Policy returned unexpected app: " << app);
AppInstallHelper &aih = appIt->second;
- auto appPrivileges = aih.getPrivileges();
+ auto appPrivileges = aih.getPrivilegesNames();
auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
"Unexpected privilege " << privilege << " for app " << app);
AppInstallHelper &aih = userAppIdToAIHIt->second;
auto privs = aih.getPrivileges();
- auto appPrivileges = aih.getPrivileges();
+ auto appPrivileges = aih.getPrivilegesNames();
auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
"Unexpected privilege " << privilege << " for app " << app);
AppInstallHelper &aih = userAppIdToAIHIt->second;
auto privs = aih.getPrivileges();
- auto appPrivileges = aih.getPrivileges();
+ auto appPrivileges = aih.getPrivilegesNames();
auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege);
RUNNER_ASSERT_MSG(privIt != appPrivileges.end(),
"Unexpected privilege " << privilege << " for app " << app);
for (auto &priv : app.getPrivileges()) {
if (PolicyConfiguration::getIsAskuserEnabled() && isPrivilegePrivacy(priv)) {
admin.adminCheck("", true, app.generateAppLabel().c_str(),
- user.getUidString().c_str(), priv.c_str(), privacyPolicyType,
+ user.getUidString().c_str(), priv, privacyPolicyType,
nullptr);
} else {
admin.adminCheck("", true, app.generateAppLabel().c_str(),
- user.getUidString().c_str(), priv.c_str(), policyType, nullptr);
+ user.getUidString().c_str(), priv, policyType, nullptr);
}
}
}
projects / platform / core / test / security-tests.git / commitdiff