#include <fcntl.h>
#include <stdio.h>
#include <memory.h>
-#include <semaphore.h>
#include <unistd.h>
#include <attr/xattr.h>
#include <algorithm>
#include <fstream>
+#include <regex>
#include <string>
#include <unordered_set>
DEFINE_SMARTPTR(tzplatform_context_destroy, tzplatform_context, TzPlatformContextPtr);
static const privileges_t SM_ALLOWED_PRIVILEGES = {
- "http://tizen.org/privilege/location",
+ "http://tizen.org/privilege/display",
"http://tizen.org/privilege/nfc"
};
std::string genPath(int app_num, const char *postfix) {
char buf[16];
sprintf(buf, "%02d", app_num);
- return std::string("/usr/apps/sm_test_") + std::string(buf) + std::string("_pkg_id_full/") + std::string(postfix);
+ return std::string("/opt/usr/apps/sm_test_") + std::string(buf) + std::string("_pkg_id_full/") + std::string(postfix);
}
std::string genRWPath(int app_num) {
return genPath(app_num, "app_dir");
return genPath(app_num, "app_dir_rw_others_ro");
}
-static const char *const SM_RW_PATH = "/usr/apps/sm_test_02_pkg_id_full/app_dir";
+static const char *const SM_RW_PATH = "/opt/usr/apps/sm_test_02_pkg_id_full/app_dir";
-static const char *const SM_DENIED_PATH = "/usr/apps/non_app_dir";
-static const char *const SM_TRUSTED_PATH = "/usr/apps/sm_test_02_pkg_id_full/app_dir_trusted";
+static const char *const SM_DENIED_PATH = "/opt/usr/apps/non_app_dir";
+static const char *const SM_TRUSTED_PATH = "/opt/usr/apps/sm_test_02_pkg_id_full/app_dir_trusted";
static const char *const ANY_USER_REPRESENTATION = "anyuser";/*this may be actually any string*/
static const std::string EXEC_FILE("exec");
static const std::string PRIVILEGE_MANAGER_APP = "privilege_manager";
static const std::string PRIVILEGE_MANAGER_PKG = "privilege_manager";
-static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/systemsettings";
-static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/systemsettings.admin";
+static const std::string PRIVILEGE_MANAGER_SELF_PRIVILEGE = "http://tizen.org/privilege/notexist";
+static const std::string PRIVILEGE_MANAGER_ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement";
static const std::vector<std::string> MANY_APPS = {
"security_manager_10_app_1",
static const std::vector<privileges_t> MANY_APPS_PRIVILEGES = {
{
"http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/location"
+ "http://tizen.org/privilege/display"
},
{
"http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/camera"
+ "http://tizen.org/privilege/datasharing"
},
{
- "http://tizen.org/privilege/contact.read",
+ "http://tizen.org/privilege/content.write",
"http://tizen.org/privilege/led",
"http://tizen.org/privilege/email"
},
"http://tizen.org/privilege/led",
"http://tizen.org/privilege/email",
"http://tizen.org/privilege/telephony",
- "http://tizen.org/privilege/camera"
+ "http://tizen.org/privilege/datasharing"
},
{
"http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/location",
+ "http://tizen.org/privilege/display",
"http://tizen.org/privilege/led",
"http://tizen.org/privilege/email"
}
};
+class ScopedProcessLabel {
+public:
+ ScopedProcessLabel() {
+ smack_new_label_from_self(&label);
+ }
+
+ ~ScopedProcessLabel() {
+ smack_set_label_for_self(label);
+ free(label);
+ }
+
+private:
+ char *label;
+};
+
static std::string generateAppLabel(const std::string &appId)
{
return "User::App::" + appId;
const std::vector<std::string> &allowed_groups)
{
TestSecurityManagerDatabase dbtest;
- dbtest.test_db_after__app_install(app_id, pkg_id, allowed_privs);
- dbtest.check_privileges_removed(app_id, pkg_id, denied_privs);
+ dbtest.test_db_after__app_install(app_id, pkg_id);
/*Privileges should be granted to all users if root installs app*/
check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs);
const privileges_t &privileges, const bool is_pkg_removed)
{
TestSecurityManagerDatabase dbtest;
- dbtest.test_db_after__app_uninstall(app_id, pkg_id, privileges, is_pkg_removed);
+ dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
/*Privileges should not be granted anymore to any user*/
for(const auto& c : negative) {
int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
- RUNNER_ASSERT_MSG(result == 0,
- "Unexpected smack access: " << subject << " " << object << " " << c);
+ RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
+ " subject:" << subject <<
+ " object:" << object <<
+ " right:" << std::string(1,c) <<
+ " result:" << result <<
+ " expected:0");
}
}
RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER)
-
RUNNER_TEST(security_manager_01a_app_double_install_double_uninstall)
{
const char *const sm_app_id = "sm_test_01a_app_id_double";
const char *const pkg_id = "sm_test_03_pkg_id_set_label_from_appid_smack";
const char *const socketLabel = "not_expected_label";
std::string expected_label = generateAppLabel(app_id);
+ std::string expected_socket_label = socketLabel;
char *label = nullptr;
CStringPtr labelPtr;
int result;
RUNNER_ASSERT_ERRNO_MSG(result == 0,
"Can't set socket label. Result: " << result);
- Api::setProcessLabel(app_id);
-
- result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
- RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
- labelPtr.reset(label);
- result = expected_label.compare(label);
- RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- expected_label << " Actual: " << label);
-
- result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
- RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
- labelPtr.reset(label);
- result = expected_label.compare(label);
- RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
- expected_label << " Actual: " << label);
-
- result = smack_new_label_from_self(&label);
- RUNNER_ASSERT_MSG(result >= 0,
- " Error getting current process label");
- RUNNER_ASSERT_MSG(label != nullptr,
- " Process label is not set");
- labelPtr.reset(label);
- result = expected_label.compare(label);
- RUNNER_ASSERT_MSG(result == 0,
- " Process label is incorrect. Expected: \"" << expected_label <<
- "\" Actual: \"" << label << "\"");
+ SynchronizationPipe pipe;
+ pid_t pid = fork();
- uninstall_app(app_id, pkg_id, true);
+ if (pid != 0) { // parent process
+ pipe.claimParentEp();
+ Api::setProcessLabel(app_id);
+
+ result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPIN, &label);
+ RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
+ labelPtr.reset(label);
+ result = expected_socket_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
+ expected_label << " Actual: " << label);
+
+ result = smack_new_label_from_file(*sockPtr, XATTR_NAME_SMACKIPOUT, &label);
+ RUNNER_ASSERT_ERRNO_MSG(result != -1, "smack_new_label_from_file failed: " << label);
+ labelPtr.reset(label);
+ result = expected_socket_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0, "Socket label is incorrect. Expected: " <<
+ expected_label << " Actual: " << label);
+
+ result = smack_new_label_from_self(&label);
+ RUNNER_ASSERT_MSG(result >= 0,
+ " Error getting current process label");
+ RUNNER_ASSERT_MSG(label != nullptr,
+ " Process label is not set");
+ labelPtr.reset(label);
+
+ result = expected_label.compare(label);
+ RUNNER_ASSERT_MSG(result == 0,
+ " Process label is incorrect. Expected: \"" << expected_label <<
+ "\" Actual: \"" << label << "\"");
+ pipe.post();
+ waitPid(pid);
+ } else { // child process
+ pipe.claimChildEp();
+ pipe.wait();
+ uninstall_app(app_id, pkg_id, true);
+ exit(0);
+ }
}
RUNNER_CHILD_TEST_NOSMACK(security_manager_03_set_label_from_appid_nosmack)
uninstall_app(app_id, pkg_id, true);
install_app(app_id, pkg_id);
- Api::setProcessLabel(app_id);
+ {
+ ScopedProcessLabel keepLabel;
+ Api::setProcessLabel(app_id);
+ }
uninstall_app(app_id, pkg_id, true);
}
return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
}
+static uid_t getGlobalGroupId(void)
+{
+ gid_t global_uid = tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
+ errno = 0;
+ passwd* pw = getpwuid(global_uid);
+ RUNNER_ASSERT_ERRNO_MSG(pw, "getpwuid() failed.");
+ return pw->pw_gid;
+
+}
+
static const std::string appDirPath(const TemporaryTestUser &user,
const std::string &appId, const std::string &pkgId)
{
removeDir(nonAppDirPath(user));
}
+
+
RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self)
{
int result;
users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
//TEST DATA END
- sem_t *mutex;
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
+ SynchronizationPipe pipe;
pid_t pid = fork();
if (pid != 0) { //parent process
+ pipe.claimParentEp();
TemporaryTestUser tmpUser(username, GUM_USERTYPE_NORMAL, false);
tmpUser.create();
//check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
};
- //Start child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
- int status;
- wait(&status);
+ //Start child process
+ pipe.post();
+ waitPid(pid);
tmpUser.remove();
- };
-
- if (pid == 0) { //child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
- //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
struct passwd *pw = getUserStruct(username);
+ std::string uidStr = std::to_string(pw->pw_uid);
register_current_process_as_privilege_manager(pw->pw_uid);
int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
+ RUNNER_ASSERT_MSG(user == uidStr, "Unexpected user: " << user);
+
try {
- struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
- std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
- if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
+ std::set<std::string>::iterator tmp = users2AppsMap.at(username).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(username).at(app).end())
RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
} catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
- } catch (const std::invalid_argument& e) {
- RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
};
};
exit(0);
++privileges_count;
//TEST DATA END
- sem_t *mutex;
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
+ SynchronizationPipe pipe;
pid_t pid = fork();
if (pid != 0) { //parent process
+ pipe.claimParentEp();
std::vector<TemporaryTestUser> users = {
TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
//check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
};
- //Start child
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
- int status;
- wait(&status);
+ //Start child
+ pipe.post();
+ waitPid(pid);
- for(auto &user : users) {
+ for (auto &user : users)
user.remove();
- };
- };
- if (pid == 0) {
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
+
struct passwd *pw = getUserStruct(usernames.at(0));
+ std::string uidStr = std::to_string(pw->pw_uid);
register_current_process_as_privilege_manager(pw->pw_uid);
//change uid to normal user
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
+ RUNNER_ASSERT_MSG(uidStr == user, "Unexpected user: " << user);
+
try {
- struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
- std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
- if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
+ std::set<std::string>::iterator tmp = users2AppsMap.at(usernames.at(0)).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(usernames.at(0)).at(app).end())
RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
} catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
- } catch (const std::invalid_argument& e) {
- RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
+ RUNNER_FAIL_MSG("Unexpected policy entry: app: " << policyEntry << ". Exception: " << e.what());
};
};
exit(0);
RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_admin_privileged)
{
+ std::vector<PolicyEntry> oldPolicyVec;
+ Api::getPolicy(PolicyEntry(), oldPolicyVec);
+ std::unordered_set<PolicyEntry> oldPolicySet(oldPolicyVec.begin(), oldPolicyVec.end());
+
//TEST DATA
const std::vector<std::string> usernames = {"sm_test_12_user_name_1", "sm_test_12_user_name_2"};
- unsigned int privileges_count = 0;
+ unsigned int privileges_count = oldPolicyVec.size();
std::map<std::string, std::map<std::string, std::set<std::string>>> users2AppsMap;
std::map<std::string, std::set<std::string>> apps2PrivsMap;
for (const auto &username : usernames) {
-
for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
apps2PrivsMap.insert(std::pair<std::string, std::set<std::string>>(
MANY_APPS.at(i), std::set<std::string>(
privileges_count+=MANY_APPS_PRIVILEGES.at(i).size();
};
- users2AppsMap.insert(std::pair<std::string, std::map<std::string, std::set<std::string>>>(username, apps2PrivsMap));
+ users2AppsMap.insert(std::make_pair(username, apps2PrivsMap));
};
- users2AppsMap.at(usernames.at(1)).insert(std::pair<std::string, std::set<std::string>>(
- PRIVILEGE_MANAGER_APP, std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
+ users2AppsMap.at(usernames.at(1)).insert(std::make_pair(PRIVILEGE_MANAGER_APP,
+ std::set<std::string>{PRIVILEGE_MANAGER_SELF_PRIVILEGE, PRIVILEGE_MANAGER_ADMIN_PRIVILEGE}));
privileges_count += 2;
//TEST DATA END
- sem_t *mutex;
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
+ SynchronizationPipe pipe;
pid_t pid = fork();
if (pid != 0) { //parent process
+ pipe.claimParentEp();
std::vector<TemporaryTestUser> users = {
TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
//check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
};
- //Start child
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
-
- //Wait for child to finish
- int status;
- wait(&status);
+ //Start child process
+ pipe.post();
+ waitPid(pid);
- for(auto &user : users) {
+ for (auto &user : users)
user.remove();
- };
- };
- if (pid == 0) { //child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child failed, errno: " << errno);
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
struct passwd *pw = getUserStruct(usernames.at(1));
- register_current_process_as_privilege_manager(pw->pw_uid, true);
+ uid_t myUid = pw->pw_uid;
+ gid_t myGid = pw->pw_gid;
+ std::string uidStr1 = std::to_string(myUid);
+ pw = getUserStruct(usernames.at(0));
+ std::string uidStr0 = std::to_string(pw->pw_uid);
+ register_current_process_as_privilege_manager(myUid, true);
//change uid to normal user
- int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
+ int result = drop_root_privileges(myUid, myGid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
std::vector<PolicyEntry> policyEntries;
- PolicyEntry filter;
//this call should succeed as the calling user is privileged
- Api::getPolicy(filter, policyEntries);
+ Api::getPolicy(PolicyEntry(), policyEntries);
RUNNER_ASSERT_MSG(policyEntries.size() != 0, "Policy is empty");
RUNNER_ASSERT_MSG(policyEntries.size() == privileges_count, "Number of policies doesn't match - should be: " << privileges_count << " and is " << policyEntries.size());
for (const auto &policyEntry : policyEntries) {
+ if (oldPolicySet.count(policyEntry))
+ continue;
+
std::string user = policyEntry.getUser();
std::string app = policyEntry.getAppId();
std::string privilege = policyEntry.getPrivilege();
+ RUNNER_ASSERT_MSG(user == uidStr0 || user == uidStr1, "Unexpected user: " << user);
+
+ std::string uidStrToLook = user == uidStr0 ? usernames.at(0) : usernames.at(1);
+
try {
- struct passwd *pw_current = getUserStruct(static_cast<uid_t>(std::stoul(user)));
- std::set<std::string>::iterator tmp = users2AppsMap.at(pw_current->pw_name).at(app).find(privilege);
- if (tmp == users2AppsMap.at(pw_current->pw_name).at(app).end())
+ std::set<std::string>::iterator tmp = users2AppsMap.at(uidStrToLook).at(app).find(privilege);
+ if (tmp == users2AppsMap.at(uidStrToLook).at(app).end())
RUNNER_FAIL_MSG("Unexpected policy entry: unexpected privilege: " << policyEntry);
} catch (const std::out_of_range &e) {
- RUNNER_FAIL_MSG("Unexpected policy entry: unexpected user or app: " << policyEntry << ". Exception: " << e.what());
+ RUNNER_FAIL_MSG("Unexpected policy entry: unexpected app: " << policyEntry << ". Exception: " << e.what());
} catch (const std::invalid_argument& e) {
RUNNER_FAIL_MSG("Incorrect UID: " << user << ". Exception: " << e.what());
};
//TEST DATA END
pid_t pid[2];
- sem_t *mutex[2];
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex[0] = sem_open("mutex_1", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #1, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex[1] = sem_open("mutex_2", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex #2, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex[0], 1, 0) == 0, "failed to setup mutex #1, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex[1], 1, 0) == 0, "failed to setup mutex #2, errno: " << errno);
+ SynchronizationPipe sync[2];
std::vector<PolicyEntry> policyEntries;
pid[0] = fork();
- if(pid[0] == 0) { //child #1 process
- RUNNER_ASSERT_MSG(sem_wait(mutex[0]) == 0, "sem_wait in child #1 failed, errno: " << errno);
+ if (pid[0] == 0) { //child #1 process
+ sync[0].claimChildEp();
+ sync[0].wait();
+
struct passwd *pw = getUserStruct(usernames.at(0));
register_current_process_as_privilege_manager(pw->pw_uid);
PolicyEntry filter;
PolicyRequest policyRequest;
- //this call should succeed as the calling user is privileged
- Api::getPolicyForSelf(filter, policyEntries);
-
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
PolicyEntry policyEntry(
MANY_APPS[0],
policyEntry = PolicyEntry(
MANY_APPS[1],
std::to_string(pw->pw_uid),
- "http://tizen.org/privilege/location"
+ "http://tizen.org/privilege/display"
);
policyEntry.setLevel("Deny");
policyRequest.addEntry(policyEntry);
Api::sendPolicy(policyRequest);
- Api::getPolicyForSelf(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
exit(0);
- };
-
- if (pid[0] != 0) {//parent process
+ } else { //parent process
+ sync[0].claimParentEp();
pid[1] = fork();
if (pid[1] == 0) { //child #2 process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex[1]) == 0, "sem_wait in child #2 failed, errno: " << errno);
- struct passwd *pw_target = getUserStruct(usernames.at(0));
- struct passwd *pw = getUserStruct(usernames.at(1));
- register_current_process_as_privilege_manager(pw->pw_uid);
+ sync[1].claimChildEp();
+ sync[1].wait();
+
+ struct passwd *pw = getUserStruct(usernames.at(0));
+ uid_t target_uid = pw->pw_uid;
+ pw = getUserStruct(usernames.at(1));
+ uid_t my_uid = pw->pw_uid;
+ gid_t my_gid = pw->pw_gid;
+
+ register_current_process_as_privilege_manager(my_uid);
//change uid to normal user
- int result = drop_root_privileges(pw->pw_uid, pw->pw_gid);
+ int result = drop_root_privileges(my_uid, my_gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
PolicyEntry filter = PolicyEntry(
SECURITY_MANAGER_ANY,
- std::to_string(pw_target->pw_uid),
+ std::to_string(target_uid),
SECURITY_MANAGER_ANY
);
//U2 requests contents of U1 privacy manager - should fail
- Api::getPolicyForSelf(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
+ Api::getPolicyForSelf(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
filter = PolicyEntry(
SECURITY_MANAGER_ANY,
//U2 requests contents of ADMIN bucket - should fail
Api::getPolicyForAdmin(filter, policyEntries, SECURITY_MANAGER_ERROR_ACCESS_DENIED);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
+ RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty, but is " << policyEntries.size());
exit(0);
- };
-
- if (pid[1] != 0) { //parent
-
+ } else { //parent
+ sync[1].claimParentEp();
std::vector<TemporaryTestUser> users = {
TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
- TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
+ TemporaryTestUser(usernames.at(1), GUM_USERTYPE_NORMAL, false)
};
users.at(0).create();
//check_app_after_install(MANY_APPS[i].c_str(), MANY_APPS_PKGS[i].c_str());
};
- int status;
//Start child #1
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex[0]) == 0, "Error while opening mutex #1, errno: " << errno);
-
- //Wait until child #1 finishes
- pid_t ret = wait(&status);
- RUNNER_ASSERT_MSG((ret != -1) && WIFEXITED(status), "Updating privileges failed");
+ sync[0].post();
+ waitPid(pid[0]);
//Start child #2
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex[1]) == 0, "Error while opening mutex #2, errno: " << errno);
- //Wait until child #2 finishes
- ret = wait(&status);
- RUNNER_ASSERT_MSG((ret =-1) && WIFEXITED(status), "Listing privileges failed");
+ sync[1].post();
+ waitPid(pid[1]);
- for(auto &user : users) {
+ for (auto &user : users)
user.remove();
- };
-
- sem_close(mutex[0]);
- sem_close(mutex[1]);
};
};
}
privileges_count += 2;
//TEST DATA END
- sem_t *mutex;
- errno = 0;
- RUNNER_ASSERT_MSG(((mutex = sem_open("mutex", O_CREAT, 0644, 1)) != SEM_FAILED), "Failure creating mutex, errno: " << errno);
- errno = 0;
- RUNNER_ASSERT_MSG(sem_init(mutex, 1, 0) == 0, "failed to setup mutex, errno: " << errno);
+ SynchronizationPipe pipe;
pid_t pid = fork();
if (pid != 0) {
+ pipe.claimParentEp();
std::vector<TemporaryTestUser> users = {
TemporaryTestUser(usernames.at(0), GUM_USERTYPE_NORMAL, false),
TemporaryTestUser(usernames.at(1), GUM_USERTYPE_ADMIN, false)
Api::install(requestInst);
};
};
+
//Start child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_post(mutex) == 0, "Error while opening mutex, errno: " << errno);
- int status;
- //Wait for child process to finish
- wait(&status);
+ pipe.post();
+ waitPid(pid);
//switch back to root
- for(auto &user : users) {
+ for (auto &user : users)
user.remove();
- };
-
- sem_close(mutex);
- }
- if (pid == 0) { //child process
- errno = 0;
- RUNNER_ASSERT_MSG(sem_wait(mutex) == 0, "sem_wait in child process failed, errno: " << errno);
+ } else { //child process
+ pipe.claimChildEp();
+ pipe.wait();
- struct passwd *pw = getUserStruct(usernames.at(0));
+ struct passwd *pw = getUserStruct(usernames.at(1));
register_current_process_as_privilege_manager(pw->pw_uid, true);
//change uid to normal user
//this call should succeed as the calling user is privileged
Api::getPolicyForSelf(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 0, "Policy is not empty");
+ unsigned int policyNum = policyEntries.size();
PolicyEntry policyEntry(
SECURITY_MANAGER_ANY,
policyEntry = PolicyEntry(
SECURITY_MANAGER_ANY,
SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/location"
+ "http://tizen.org/privilege/display"
);
policyEntry.setMaxLevel("Deny");
Api::sendPolicy(*policyRequest);
Api::getPolicyForAdmin(filter, policyEntries);
- RUNNER_ASSERT_MSG(policyEntries.size() == 2, "Number of policies doesn't match - should be: 2 and is " << policyEntries.size());
+ RUNNER_ASSERT_MSG(policyEntries.size() == policyNum + 2, "Number of policies doesn't match - should be: "
+ << policyNum + 2 << " and is " << policyEntries.size());
delete policyRequest;
policyRequest = new PolicyRequest();
policyEntry = PolicyEntry(
SECURITY_MANAGER_ANY,
SECURITY_MANAGER_ANY,
- "http://tizen.org/privilege/location"
+ "http://tizen.org/privilege/display"
);
policyEntry.setMaxLevel(SECURITY_MANAGER_DELETE);
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
const char *const update_app_id = "security_manager_15_update_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
const char *const check_start_bucket = "ADMIN";
const std::string username("sm_test_15_username");
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
struct message {
uid_t uid;
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
const char *const update_other_app_id = "security_manager_15_update_other_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
const char *const check_start_bucket = "ADMIN";
const std::string username("sm_test_15_username");
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
struct message {
uid_t uid;
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_other_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
const char *const update_app_id = "security_manager_15_update_app_id";
const char *const update_privilege = "http://tizen.org/privilege/led";
const char *const check_start_bucket = "";
const std::string username("sm_test_15_username");
PolicyRequest addPolicyRequest;
CynaraTestAdmin::Admin admin;
+ ScopedProcessLabel keepLabel;
struct message {
uid_t uid;
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
}
if(pid == 0)
{
result = drop_root_privileges(msg.uid, msg.gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
- // without plugins there should only be 2 policies - Allow and Deny
+ // 3 should be there when ask-user is installed
ret = security_manager_policy_levels_get(&levels, &count);
RUNNER_ASSERT_MSG((lib_retcode)ret == SECURITY_MANAGER_SUCCESS,
"Invlid return code: " << ret);
- RUNNER_ASSERT_MSG(count == 2, "Invalid number of policy levels. Should be 2, instead there is: " << static_cast<int>(count));
+ RUNNER_ASSERT_MSG(count == 3, "Invalid number of policy levels. Should be 3, instead there is: " << static_cast<int>(count));
deny_policy = std::string(levels[0]);
allow_policy = std::string(levels[count-1]);
int pipefd[2];
int pipefd2[2];
- pid_t pid;
+ pid_t pid[2];
int result = 0;
+ ScopedProcessLabel keepLabel;
RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
RUNNER_ASSERT_MSG((pipe(pipefd2) != -1),"second pipe failed");
TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
user.create();
- pid = fork();
- RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
- if (pid != 0)//parent process
+ pid[0] = fork();
+ RUNNER_ASSERT_MSG(pid[0] >= 0, "fork failed");
+ if (pid[0] != 0)//parent process
{
FdUniquePtr pipeptr(pipefd+1);
close(pipefd[0]);
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid[0]);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_ALLOW, nullptr);
- pid = fork();
- if (pid != 0)//parent process
+ pid[1] = fork();
+ if (pid[1] != 0)//parent process
{
FdUniquePtr pipeptr(pipefd2+1);
close(pipefd2[0]);
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd2[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
-
- //wait for child
- waitpid(-1, &result, 0);
+ waitPid(pid[1]);
admin.adminCheck(check_start_bucket, false, generateAppLabel(update_app_id).c_str(),
std::to_string(static_cast<int>(msg.uid)).c_str(), update_privilege, CYNARA_ADMIN_DENY, nullptr);
}
- if(pid == 0)
+ if(pid[1] == 0)
{
FdUniquePtr pipeptr(pipefd2);
close(pipefd2[1]);
ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd2[0], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
- //become admin privacy manager manager
- Api::setProcessLabel(PRIVILEGE_MANAGER_APP.c_str());
result = drop_root_privileges(msg.uid, msg.gid);
RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
exit(0);
}
}
- if(pid == 0)
+ if(pid[0] == 0)
{
FdUniquePtr pipeptr(pipefd);
close(pipefd[1]);
int pipefd[2];
pid_t pid;
int result = 0;
+ ScopedProcessLabel keepLabel;
RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
unsigned int privileges_count = 0;
- register_current_process_as_privilege_manager(user.getUid(), false);
- //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
- ++privileges_count;
-
for(unsigned int i = 0; i < MANY_APPS.size(); ++i) {
InstallRequest requestInst;
requestInst.setAppId(MANY_APPS[i].c_str());
privileges_count += MANY_APPS_PRIVILEGES.at(i).size();
};
+ register_current_process_as_privilege_manager(user.getUid(), false);
+ //the above call, registers 1 new privilege for the given user, hence the incrementation of below variable
+ ++privileges_count;
+
//send info to child
msg.uid = user.getUid();
msg.gid = user.getGid();
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
}
if(pid == 0)
{
}
}
-RUNNER_CHILD_TEST(security_manager_18_user_cynara_policy)
+RUNNER_TEST(security_manager_18_user_cynara_policy)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
const char *const MAIN_BUCKET = "MAIN";
const char *const MANIFESTS_BUCKET = "MANIFESTS";
const char *const ADMIN_BUCKET = "ADMIN";
const std::string username("sm_test_10_user_cynara_policy");
CynaraTestAdmin::Admin admin;
std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
user.create();
user.getUidString(uid_string);
admin.listPolicies(ADMIN_BUCKET, CYNARA_ADMIN_WILDCARD, uid_string.c_str(), CYNARA_ADMIN_WILDCARD, emptyContainer, CYNARA_API_SUCCESS);
}
-RUNNER_CHILD_TEST(security_manager_19_security_manager_cmd_install)
+RUNNER_TEST(security_manager_19_security_manager_cmd_install)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
int ret;
const int SUCCESS = 0;
const int FAILURE = 256;
const std::string pkg_id = "security_manager_10_pkg";
const std::string username("sm_test_10_user_name");
std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
user.create();
user.getUidString(uid_string);
const std::string path1 = appDirPath(user, app_id, pkg_id) + "/p1";
{"security-manager-cmd --i --app=app_id_10 --pkg=pkg_id_10", FAILURE},//no uid
{installcmd, SUCCESS},
{"security-manager-cmd -i -a" + app_id + " -g" + pkg_id + uidopt, SUCCESS},
- {installcmd + " --path " + path1 + " writable", SUCCESS},
+ {installcmd + " --path " + path1 + " rw", SUCCESS},
{installcmd + " --path " + path1, FAILURE},//no path type
- {installcmd + " --path " + path1 + " writable" + " --path " + path2 + " readable", SUCCESS},
- {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " readable", FAILURE},//wrong path type
- {installcmd + " --path " + path1 + " writable" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
+ {installcmd + " --path " + path1 + " rw" + " --path " + path2 + " ro", SUCCESS},
+ {installcmd + " --path " + path1 + " prie" + " --path " + path2 + " ro", FAILURE},//wrong path type
+ {installcmd + " --path " + path1 + " rw" + " --privilege somepriv --privilege somepriv2" , SUCCESS},
};
for (auto &op : operations) {
- ret = system(op.command.c_str());
+ ret = system((op.command + " 1>/dev/null 2>&1").c_str());
RUNNER_ASSERT_MSG(ret == op.expected_result,
"Unexpected result for command '" << op.command <<"': "
<< ret << " Expected was: "<< op.expected_result);
}
}
-RUNNER_CHILD_TEST(security_manager_20_security_manager_cmd_users)
+RUNNER_TEST(security_manager_20_security_manager_cmd_users)
{
- RUNNER_IGNORED_MSG("temporarily disabled due to gumd timeouts");
int ret;
const int SUCCESS = 0;
const int FAILURE = 256;
const std::string username("sm_test_11_user_name");
std::string uid_string;
- TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, true);
+ TemporaryTestUser user(username, GUM_USERTYPE_NORMAL, false);
user.create();
user.getUidString(uid_string);
const std::string uidopt = " --uid=" + uid_string;
};
for (auto &op : operations) {
- ret = system(op.command.c_str());
+ ret = system((op.command + " 1>/dev/null 2>&1").c_str());
RUNNER_ASSERT_MSG(ret == op.expected_result,
"Unexpected result for command '" << op.command <<"': "
<< ret << " Expected was: "<< op.expected_result);
} msg;
privileges_t admin_required_privs = {
- "http://tizen.org/privilege/systemsettings.admin",
- "http://tizen.org/privilege/systemsettings"};
+ PRIVILEGE_MANAGER_SELF_PRIVILEGE,
+ PRIVILEGE_MANAGER_ADMIN_PRIVILEGE};
privileges_t manifest_privs = {
"http://tizen.org/privilege/internet",
- "http://tizen.org/privilege/camera"};
- privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
+ "http://tizen.org/privilege/datasharing"};
+ privileges_t real_privs_allow = {"http://tizen.org/privilege/datasharing"};
privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
const std::string pirivman_id = "sm_test_13_ADMIN_APP";
if (pid != 0)//parent process
{
std::string childuidstr;
- TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
- TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
+ TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, false);
+ TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, false);
InstallRequest request,request2;
FdUniquePtr pipeptr(pipefd+1);
ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
- //wait for child
- RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+ waitPid(pid);
check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
real_privs_allow, real_privs_deny);
}
}
+void setupPrivilegeGroups(const privileges_t &privileges, const std::vector<std::string> &groups)
+{
+ TestSecurityManagerDatabase db;
+ for (const auto &privilege : privileges) {
+ db.setup_privilege_groups(privilege, groups);
+ }
+}
+
+std::vector<std::string> readPrivilegeGroups()
+{
+ std::vector<std::string> groups;
+ const static std::string privilegeGroupMappingPath("/usr/share/security-manager/policy/privilege-group.list");
+ std::ifstream mappingFile(privilegeGroupMappingPath);
+
+ RUNNER_ASSERT_MSG(mappingFile.is_open(),
+ "Unable to read group mapping file " << privilegeGroupMappingPath);
+
+ std::string line;
+ std::regex r("^[^ #]+ +(.*)");
+ while (std::getline(mappingFile, line)) {
+ std::smatch m;
+ if (std::regex_search(line, m, r))
+ groups.push_back(m[1]);
+ }
+
+ return groups;
+}
+
+RUNNER_TEST(security_manager_22_groups_get)
+{
+ setupPrivilegeGroups(SM_ALLOWED_PRIVILEGES, SM_ALLOWED_GROUPS);
+
+ std::unordered_set<std::string> groups;
+ auto tmp = readPrivilegeGroups();
+ groups.insert(tmp.begin(), tmp.end());
+ groups.insert(SM_ALLOWED_GROUPS.begin(), SM_ALLOWED_GROUPS.end());
+
+ char ** c_groups;
+ size_t count = 0;
+
+ Api::getSecurityManagerGroups(&c_groups, &count);
+ RUNNER_ASSERT_MSG(count == groups.size(), "security_manager_groups_get should set count to: "
+ << groups.size() << " but count is: " << count);
+
+ for (const auto &group : groups) {
+ bool found = false;
+ for (size_t i = 0; i < count; ++i) {
+ if (group == c_groups[i]) {
+ found = true;
+ break;
+ }
+ }
+ RUNNER_ASSERT_MSG(found, "PrivilegeGroup: " << group << " was not found");
+ }
+ security_manager_groups_free(c_groups, count);
+}
+
namespace {
const int sm_app_shared_test_id = 27;
const char *const sm_app_shared_id = "sm_test_27_app_id_full";
}
}
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_PUBLIC_SHARING)
+
RUNNER_TEST(security_manager_27a_API2X_app_install)
{
std::string SM_RW_PATH = genRWPath(sm_app_shared_test_id);
}
+RUNNER_TEST_GROUP_INIT(SECURIT_MANAGER_PRIVATE_SHARING)
+
RUNNER_TEST(security_manager_30a_send_incomplete_req1)
{
SharingRequest request;
Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
}
+struct PathInfo {
+ const std::string &path;
+ app_install_path_type path_type;
+};
+
+static InstallRequest createInstallReq(const std::string &appName, const std::string &pkgName,
+ const std::vector<PathInfo> &paths){
+ InstallRequest req;
+ req.setAppId(appName);
+ req.setPkgId(pkgName);
+ for (const auto &pathInfo : paths) {
+ req.addPath(pathInfo.path, pathInfo.path_type);
+ }
+ return req;
+}
+
+static InstallRequest createInstallReq(const AppInstallHelper &info,
+ const std::vector<PathInfo> &paths = std::vector<PathInfo>()){
+ return createInstallReq(info.getAppId(), info.getPkgId(), paths);
+}
+
+static void clearLabels(const std::string &path) {
+ int result = nftw(path.c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << path);
+}
+
+
RUNNER_TEST(security_manager_30e_unknown_target)
{
// This test depends on order of checks in security-manager service implementation
AppInstallHelper owner("installedApp");
owner.revokeRules();
owner.createInstallDir();
- InstallRequest ownerInst;
- ownerInst.setAppId(owner.getAppId());
- ownerInst.setPkgId(owner.getPkgId());
+ InstallRequest ownerInst = createInstallReq(owner);
Api::install(ownerInst);
AppInstallHelper target("secondInstalledApp");
target.revokeRules();
target.createInstallDir();
- InstallRequest targetInst;
- targetInst.setAppId(target.getAppId());
- targetInst.setPkgId(target.getPkgId());
+ InstallRequest targetInst = createInstallReq(target);
Api::install(targetInst);
SharingRequest request;
Api::applySharing(request, SECURITY_MANAGER_ERROR_APP_NOT_PATH_OWNER);
Api::uninstall(ownerInst);
+ Api::uninstall(targetInst);
}
RUNNER_TEST(security_manager_31_simple_share)
{
- std::vector<AppInstallHelper> helper {{"app30a"}, {"app30b"}};
+ std::vector<AppInstallHelper> helper {{"app31a"}, {"app31b"}};
auto &owner = helper[0];
auto &target = helper[1];
owner.createPrivateDir();
owner.createSharedFile();
-
- InstallRequest ownerReq;
- ownerReq.setAppId(owner.getAppId());
- ownerReq.setPkgId(owner.getPkgId());
- ownerReq.addPath(owner.getSharedPath(), SECURITY_MANAGER_PATH_RW);
- int result = nftw(owner.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << owner.getInstallDir());
+ clearLabels(owner.getInstallDir());
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
Api::install(ownerReq);
- InstallRequest targetReq;
- targetReq.setAppId(target.getAppId());
- targetReq.setPkgId(target.getAppId());
+ InstallRequest targetReq = createInstallReq(target);
Api::install(targetReq);
SharingRequest share1;
RUNNER_TEST(security_manager_32_double_share)
{
- std::vector<AppInstallHelper> helper {{"app31a"}, {"app31b"}};
+ std::vector<AppInstallHelper> helper {{"app32a"}, {"app32b"}};
auto &owner = helper[0];
auto &target = helper[1];
}
owner.createPrivateDir();
owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
- InstallRequest ownerReq;
- ownerReq.setAppId(owner.getAppId());
- ownerReq.setPkgId(owner.getPkgId());
- ownerReq.addPath(owner.getSharedPath(), SECURITY_MANAGER_PATH_RW);
-
- int result = nftw(owner.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << owner.getInstallDir());
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
Api::install(ownerReq);
- InstallRequest targetReq;
- targetReq.setAppId(target.getAppId());
- targetReq.setPkgId(target.getAppId());
+ InstallRequest targetReq = createInstallReq(target);
Api::install(targetReq);
SharingRequest share1;
}
RUNNER_TEST(security_manager_33_share_two_with_one)
{
- std::vector<AppInstallHelper> helper {{"app32a"}, {"app32b"}};
+ std::vector<AppInstallHelper> helper {{"app33a"}, {"app33b"}};
auto &owner = helper[0];
auto &target = helper[1];
owner.createPrivateDir();
owner.createSharedFile(0);
owner.createSharedFile(1);
-
- InstallRequest ownerReq;
- ownerReq.setAppId(owner.getAppId());
- ownerReq.setPkgId(owner.getPkgId());
- ownerReq.addPath(owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW);
- ownerReq.addPath(owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW);
-
- int result = nftw(owner.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << owner.getInstallDir());
+ clearLabels(owner.getInstallDir());
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW},
+ PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}});
Api::install(ownerReq);
- InstallRequest targetReq;
- targetReq.setAppId(target.getAppId());
- targetReq.setPkgId(target.getAppId());
+ InstallRequest targetReq = createInstallReq(target);
Api::install(targetReq);
SharingRequest share1, share2;
RUNNER_TEST(security_manager_34_share_one_with_two)
{
- std::vector<AppInstallHelper> helper {{"app33a"}, {"app33b"}, {"app33c"}};
+ std::vector<AppInstallHelper> helper {{"app34a"}, {"app34b"}, {"app34c"}};
auto &owner = helper[0];
auto &target1 = helper[1];
auto &target2 = helper[2];
}
owner.createPrivateDir();
owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
- InstallRequest ownerReq;
- ownerReq.setAppId(owner.getAppId());
- ownerReq.setPkgId(owner.getPkgId());
- ownerReq.addPath(owner.getSharedPath(), SECURITY_MANAGER_PATH_RW);
- int result = nftw(owner.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << owner.getInstallDir());
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
Api::install(ownerReq);
for (size_t i = 1; i < helper.size(); i++) {
- InstallRequest targetReq;
- targetReq.setAppId(helper[i].getAppId());
- targetReq.setPkgId(helper[i].getAppId());
+ InstallRequest targetReq = createInstallReq(helper[i]);
Api::install(targetReq);
}
Api::uninstall(ownerReq);
for (size_t i = 1; i < helper.size(); i++) {
- InstallRequest targetReq;
- targetReq.setAppId(helper[i].getAppId());
- targetReq.setPkgId(helper[i].getAppId());
+ InstallRequest targetReq = createInstallReq(helper[i]);
Api::uninstall(targetReq);
}
}
RUNNER_TEST(security_manager_35_share_two_with_two)
{
- std::vector<AppInstallHelper> helper {{"app34a"}, {"app34b"}, {"app34c"}};
+ std::vector<AppInstallHelper> helper {{"app35a"}, {"app35b"}, {"app35c"}};
auto &owner = helper[0];
auto &target1 = helper[1];
auto &target2 = helper[2];
owner.createPrivateDir();
owner.createSharedFile(0);
owner.createSharedFile(1);
+ clearLabels(owner.getInstallDir());
- InstallRequest ownerReq;
- ownerReq.setAppId(owner.getAppId());
- ownerReq.setPkgId(owner.getPkgId());
- ownerReq.addPath(owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW);
- ownerReq.addPath(owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW);
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(0), SECURITY_MANAGER_PATH_RW},
+ PathInfo{owner.getSharedPath(1), SECURITY_MANAGER_PATH_RW}});
- int result = nftw(owner.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to remove Smack labels in " << owner.getInstallDir());
Api::install(ownerReq);
for (size_t i = 1; i < helper.size(); i++) {
- InstallRequest targetReq;
- targetReq.setAppId(helper[i].getAppId());
- targetReq.setPkgId(helper[i].getAppId());
+ InstallRequest targetReq = createInstallReq(helper[i]);
Api::install(targetReq);
}
}
}
-RUNNER_TEST(security_manager_40_set_wrong_author_id)
-{
- InstallRequest requestInst;
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
- RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
- security_manager_app_inst_req_set_author_id(requestInst.get(), NULL));
+RUNNER_TEST(security_manager_35_share_uninstall_target) {
+ std::vector<AppInstallHelper> helper {{"app35aa"}, {"app35bb"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
- RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
- security_manager_app_inst_req_set_author_id(requestInst.get(), ""));
-}
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
-RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
-{
- for(unsigned int i=0; i<10; ++i) {
- std::string authorId = "some-author-id" + std::to_string(i);
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
- InstallRequest requestInst;
- requestInst.setAuthorId(authorId);
- }
-}
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
-RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
-{
- std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
- auto &provider = helper[0];
- auto &user = helper[1];
- auto &untrusted = helper[2];
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
- TestSecurityManagerDatabase dbtest;
- const char *author_id = "custom_author_id_test 41";
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
- const char *const trusted_access = "rwxatl";
- const char *const system_access = "rwxatl";
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
- int result;
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(ownerReq);
+}
+
+RUNNER_TEST(security_manager_35_share_uninstall_owner) {
+ std::vector<AppInstallHelper> helper {{"app35aaa"}, {"app35bbb"}};
+ auto &owner = helper[0];
+ auto &target = helper[1];
- // cleanup
for (auto &e : helper) {
e.revokeRules();
e.createInstallDir();
- e.createTrustedDir();
}
- result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
+ owner.createPrivateDir();
+ owner.createSharedFile();
- // install app with shared/trusted dir
- InstallRequest trustingApp;
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_owner_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app36a", "pkg1"}, {"app36b", "pkg1"}, {"app36c", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(pkgAppReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_owner_drop) {
+ std::vector<AppInstallHelper> helper {{"app36aa", "pkg1"}, {"app36bb", "pkg1"}, {"app36cc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::dropSharing(share1);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+ Api::uninstall(targetReq);
+}
+
+RUNNER_TEST(security_manager_36_share_pkg_target_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app36aaa", "pkg1"}, {"app36bbb", "pkg1"}, {"app36ccc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_37_pkg_double_share_target_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app37a", "pkg1"}, {"app37b", "pkg1"}, {"app37c", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::applySharing(share1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::uninstall(targetReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(ownerReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_37_pkg_double_share_owner_uninstall) {
+ std::vector<AppInstallHelper> helper {{"app37aa", "pkg1"}, {"app37bb", "pkg1"}, {"app37cc", "pkg2"}};
+ auto &owner = helper[0];
+ auto &pkgApp = helper[1];
+ auto &target = helper[2];
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+ InstallRequest pkgAppReq = createInstallReq(pkgApp);
+ Api::install(pkgAppReq);
+ InstallRequest targetReq = createInstallReq(target);
+ Api::install(targetReq);
+
+ SharingRequest share1;
+ std::string sharedPath = owner.getSharedPath();
+ share1.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target.getAppId());
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ Api::applySharing(share1);
+
+ TestSecurityManagerDatabase db;
+ std::string pathLabel1 = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel1.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ Api::applySharing(share1);
+
+ check_system_access(pathLabel1);
+ check_owner_access(owner.generateAppLabel(), pathLabel1);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1);
+ check_path_label(sharedPath, pathLabel1);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+
+ check_system_access(pathLabel1, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel1, false);
+ check_owner_access(pkgApp.generateAppLabel(), pathLabel1, false);
+ check_target_access(owner.generatePkgLabel(), target.generateAppLabel(), pathLabel1, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+
+ Api::uninstall(targetReq);
+ Api::uninstall(pkgAppReq);
+}
+
+RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_target)
+{
+ std::vector<AppInstallHelper> helper {{"app38a"}, {"app38b"}, {"app38c"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+
+ InstallRequest targetReq1 = createInstallReq(target1);
+ Api::install(targetReq1);
+ InstallRequest targetReq2 = createInstallReq(target2);
+ Api::install(targetReq2);
+
+ SharingRequest share1, share2;
+ std::string sharedPath = owner.getSharedPath(0).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ share2.addPaths(path, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share2);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::uninstall(targetReq1);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::dropSharing(share2);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel, false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
+ check_path_label(sharedPath, owner.generatePkgLabel());
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(ownerReq);
+ Api::uninstall(targetReq2);
+}
+
+RUNNER_TEST(security_manager_38_share_one_with_two_uninstall_owner)
+{
+ std::vector<AppInstallHelper> helper {{"app38aa"}, {"app38bb"}, {"app38cc"}};
+ auto &owner = helper[0];
+ auto &target1 = helper[1];
+ auto &target2 = helper[2];
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ }
+ owner.createPrivateDir();
+ owner.createSharedFile();
+ clearLabels(owner.getInstallDir());
+
+ InstallRequest ownerReq = createInstallReq(owner,
+ {PathInfo{owner.getSharedPath(), SECURITY_MANAGER_PATH_RW}});
+ Api::install(ownerReq);
+
+
+ InstallRequest targetReq1 = createInstallReq(target1);
+ Api::install(targetReq1);
+ InstallRequest targetReq2 = createInstallReq(target2);
+ Api::install(targetReq2);
+
+ SharingRequest share1, share2;
+ std::string sharedPath = owner.getSharedPath(0).c_str();
+ share1.setOwnerAppId(owner.getAppId());
+ share2.setOwnerAppId(owner.getAppId());
+ share1.setTargetAppId(target1.getAppId());
+ share2.setTargetAppId(target2.getAppId());
+
+ const char *path[] = {sharedPath.c_str()};
+ share1.addPaths(path, 1);
+ share2.addPaths(path, 1);
+
+ Api::applySharing(share1);
+ TestSecurityManagerDatabase db;
+ std::string pathLabel = db.get_path_label(sharedPath.c_str());
+ RUNNER_ASSERT_MSG(!pathLabel.empty(), "Couldn't fetch path label from database for file " << sharedPath);
+
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ Api::applySharing(share2);
+ check_system_access(pathLabel);
+ check_owner_access(owner.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel);
+ check_path_label(sharedPath, pathLabel);
+
+ owner.removePaths();
+ Api::uninstall(ownerReq);
+ check_system_access(pathLabel, false);
+ check_owner_access(owner.generateAppLabel(), pathLabel,false);
+ check_target_access(owner.generatePkgLabel(), target1.generateAppLabel(), pathLabel, false, false);
+ check_target_access(owner.generatePkgLabel(), target2.generateAppLabel(), pathLabel, false, false);
+
+ Api::dropSharing(share1, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::dropSharing(share2, SECURITY_MANAGER_ERROR_APP_UNKNOWN);
+ Api::uninstall(targetReq1);
+ Api::uninstall(targetReq2);
+}
+
+RUNNER_TEST(security_manager_40_set_wrong_author_id)
+{
+ InstallRequest requestInst;
+
+ RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
+ security_manager_app_inst_req_set_author_id(requestInst.get(), NULL));
+
+ RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
+ security_manager_app_inst_req_set_author_id(requestInst.get(), ""));
+}
+
+RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
+{
+ for(unsigned int i=0; i<10; ++i) {
+ std::string authorId = "some-author-id" + std::to_string(i);
+
+ InstallRequest requestInst;
+ requestInst.setAuthorId(authorId);
+ }
+}
+
+RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
+{
+ std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
+ auto &provider = helper[0];
+ auto &user = helper[1];
+ auto &untrusted = helper[2];
+
+ TestSecurityManagerDatabase dbtest;
+ const char *author_id = "custom_author_id_test 41";
+
+ const char *const trusted_access = "rwxatl";
+ const char *const system_access = "rwxatl";
+
+ int result;
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ e.createTrustedDir();
+ }
+
+ result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
+
+ // install app with shared/trusted dir
+ InstallRequest trustingApp;
trustingApp.setAppId(provider.getAppId());
trustingApp.setPkgId(provider.getPkgId());
trustingApp.setAuthorId("author id to be overwritten");
trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
Api::install(trustingApp);
- int64_t authorDb = dbtest.get_author_id(author_id);
- const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
+ int64_t authorDb = dbtest.get_author_id(author_id);
+ const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
+
+ // check trusted path label
+ nftw_expected_label = trusted_label;
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+
+ // check labels
+ result = nftw(provider.getTrustedDir().c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_TRUSTED_PATH);
+
+ // check rules
+ check_exact_access("System", trusted_label, system_access);
+ check_exact_access("User", trusted_label, system_access);
+ check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
+
+ // install trusted app
+ InstallRequest trustedApp;
+ trustedApp.setAppId(user.getAppId());
+ trustedApp.setPkgId(user.getPkgId());
+ trustedApp.setAuthorId(author_id);
+ Api::install(trustedApp);
+
+ // check rules
+ check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+
+ // install untrusted app
+ InstallRequest untrustedApp;
+ untrustedApp.setAppId(untrusted.getAppId());
+ untrustedApp.setPkgId(untrusted.getPkgId());
+ Api::install(untrustedApp);
+
+ // check rules
+ check_exact_access(generateAppLabel(untrusted.getAppId()), trusted_label, "");
+ check_exact_access(generatePkgLabel(untrusted.getPkgId()), trusted_label, "");
+
+ // uninstall trusting app
+ Api::uninstall(trustingApp);
+
+ // there's still one app with author id, rules should be kept
+ check_exact_access("System", trusted_label, system_access);
+ check_exact_access("User", trusted_label, system_access);
+ check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, "");
+ check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
+ check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
+ check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+
+ Api::uninstall(trustedApp);
+
+ // no more apps with author id
+ check_exact_access("System", trusted_label, "");
+ check_exact_access("User", trusted_label, "");
+ check_exact_access(generateAppLabel(user.getAppId()), trusted_label, "");
+ check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+
+ Api::uninstall(untrustedApp);
+}
+
+
+RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
+{
+ AppInstallHelper help("app44");
+ help.createInstallDir();
+ help.createTrustedDir();
+
+ // install app with shared/trusted dir but without authors id
+ InstallRequest app;
+ app.setAppId(help.getAppId());
+ app.setPkgId(help.getPkgId());
+ app.addPath(help.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+ Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
+
+RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
+{
+ std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
+ auto &trusted1 = helper[0];
+ auto &trusted2 = helper[1];
+
+ TestSecurityManagerDatabase dbtest;
+ const char *authorId1 = "custom_author_id_test a45";
+ const char *authorId2 = "custom_author_id_test b45";
+
+ // cleanup
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ e.createTrustedDir();
+ }
+
+ // install app with shared/trusted dir
+ InstallRequest trustingApp;
+ trustingApp.setAppId(trusted1.getAppId());
+ trustingApp.setPkgId(trusted1.getPkgId());
+ trustingApp.setAuthorId(authorId1);
+ trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+ Api::install(trustingApp);
+
+ int64_t authorDb1 = dbtest.get_author_id(authorId1);
+
+ // install trusted app
+ InstallRequest trustedApp;
+ trustedApp.setAppId(trusted2.getAppId());
+ trustedApp.setPkgId(trusted2.getPkgId());
+ trustedApp.setAuthorId(authorId2);
+ Api::install(trustedApp);
+
+ int64_t authorDb2 = dbtest.get_author_id(authorId2);
+
+ Api::uninstall(trustingApp);
+ Api::uninstall(trustedApp);
+
+ RUNNER_ASSERT(authorDb1 != authorDb2);
+}
+
+RUNNER_TEST(security_manager_46_pkgId_deinstalation_test)
+{
+ /* Description:
+ * Lets assume that app1 and app2 are part of pkg1.
+ * Deinstalation of app1 mustnot remove rules:
+ * System PKG1Label rwxatl
+ * User PKGLabel rwxatl
+ */
+
+ std::vector<AppInstallHelper> helper {{"a46"}, {"b46"}};
+ auto &trusted1 = helper[0];
+ auto &trusted2 = helper[1];
+
+ std::string authorId1 = "author46XYZ";
+
+ for (auto &e : helper) {
+ e.revokeRules();
+ e.createInstallDir();
+ e.createTrustedDir();
+ }
+
+ InstallRequest trustingApp;
+ trustingApp.setAppId(trusted1.getAppId());
+ trustingApp.setPkgId(trusted1.getPkgId());
+ trustingApp.setAuthorId(authorId1);
+ trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
+ Api::install(trustingApp);
+
+ InstallRequest trustingApp2;
+ trustingApp2.setAppId(trusted2.getAppId());
+ trustingApp2.setPkgId(trusted1.getPkgId()); // both apps will be part of same pkgId
+ trustingApp2.setAuthorId(authorId1);
+ Api::install(trustingApp2);
+
+ check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
+ check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
+ check_exact_access("System", generateAppLabel(trusted2.getAppId()), "rwxl");
+ check_exact_access("User", generateAppLabel(trusted2.getAppId()), "rwxl");
+
+ Api::uninstall(trustingApp2);
+
+ check_exact_access("System", generateAppLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("User", generateAppLabel(trusted1.getAppId()), "rwxl");
+ check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
+ check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "rwxatl");
+ check_exact_access("System", generateAppLabel(trusted2.getAppId()), "");
+ check_exact_access("User", generateAppLabel(trusted2.getAppId()), "");
+
+ Api::uninstall(trustingApp);
+
+ check_exact_access("System", generateAppLabel(trusted1.getAppId()), "");
+ check_exact_access("User", generateAppLabel(trusted1.getAppId()), "");
+ check_exact_access("System", generatePkgLabel(trusted1.getPkgId()), "");
+ check_exact_access("User", generatePkgLabel(trusted1.getPkgId()), "");
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_CREDENTIAL_API)
+
+class ProcessCredentials {
+public:
+ ProcessCredentials(const std::string &smackLabel) : m_label(smackLabel) {}
+
+ const std::string &label(void) const {
+ return m_label;
+ }
+
+ uid_t uid(void) const {
+ return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
+ }
+
+ gid_t gid(void) const {
+ return PasswdAccess::gid("users");
+ }
+
+private:
+ std::string m_label;
+};
+
+pid_t runInChild(const std::function<void(void)> &process) {
+ pid_t pid = fork();
+ RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
+
+ if (pid == 0) {
+ process();
+ exit(EXIT_SUCCESS);
+ }
+
+ return pid;
+}
+
+void udsServer(SynchronizationPipe &pipe, const struct sockaddr_un &sockaddr,
+ const struct ProcessCredentials &peerCredentials) {
+ SecurityServer::AccessProvider ap(peerCredentials.label());
+ ap.applyAndSwithToUser(peerCredentials.uid(), peerCredentials.gid());
+ pipe.claimChildEp();
+
+ int sock = UDSHelpers::createServer(&sockaddr);
+ SockUniquePtr sockPtr(&sock);
+ pipe.post();
+ int clientSock = UDSHelpers::acceptClient(sock);
+
+ UDSHelpers::waitForDisconnect(clientSock);
+}
+
+typedef std::function<void(int sock, pid_t pid)> SocketAssertionFn;
+
+void clientTestTemplate(SocketAssertionFn assertion, const std::string &scope, const std::string &smackLabel) {
+ const auto sockaddr = UDSHelpers::makeAbstractAddress("test_sm_" + scope + ".socket");
+ const ProcessCredentials peerCredentials(smackLabel);
+
+ SynchronizationPipe pipe;
+
+ pid_t pid = runInChild(std::bind(udsServer, std::ref(pipe), std::cref(sockaddr),
+ std::cref(peerCredentials)));
+
+ pipe.claimParentEp();
+ pipe.wait();
+ int sock = UDSHelpers::createClient(&sockaddr);
+ SockUniquePtr sockPtr(&sock);
+
+ assertion(sock, pid);
+}
+
+RUNNER_CHILD_TEST(security_manager_51a_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51a_app";
+ const char *const sm_pkg_id = "sm_test_51a_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ std::string rcvPkgId, rcvAppId;
+ Api::getPkgIdBySocket(sock, &rcvPkgId, &rcvAppId);
+ RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
+ << "; expected = " << sm_pkg_id);
+ RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
+ << "; expected = " << sm_app_id);
+ }, "tcsm27a", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_51b_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51b_app";
+ const char *const sm_pkg_id = "sm_test_51b_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ std::string rcvPkgId, rcvAppId;
+ Api::getPkgIdBySocket(sock + 1, &rcvPkgId, &rcvAppId, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ }, "tcsm27b", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_51c_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51c_app";
+ const char *const sm_pkg_id = "sm_test_51c_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ std::string rcvPkgId;
+ Api::getPkgIdBySocket(sock, &rcvPkgId, nullptr);
+ RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
+ << "; expected = " << sm_pkg_id);
+ }, "tcsm27c", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_51d_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51d_app";
+ const char *const sm_pkg_id = "sm_test_51d_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ std::string rcvAppId;
+ Api::getPkgIdBySocket(sock, nullptr, &rcvAppId);
+ RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
+ << "; expected = " << sm_app_id);
+ }, "tcsm27d", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_51e_get_id_by_socket)
+{
+ const char *const sm_app_id = "sm_test_51e_app";
+ const char *const sm_pkg_id = "sm_test_51e_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int sock, pid_t) {
+ Api::getPkgIdBySocket(sock, nullptr, nullptr, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ }, "tcsm27e", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52a_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52a_app";
+ const char *const sm_pkg_id = "sm_test_52a_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int, pid_t pid) {
+ std::string rcvPkgId, rcvAppId;
+ Api::getPkgIdByPid(pid, &rcvPkgId, &rcvAppId);
+ RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
+ << "; expected = " << sm_pkg_id);
+ RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
+ << "; expected = " << sm_app_id);
+ }, "tcsm28a", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52b_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52b_app";
+ const char *const sm_pkg_id = "sm_test_52b_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int, pid_t pid) {
+ std::string rcvPkgId, rcvAppId;
+ Api::getPkgIdByPid(pid + 1, &rcvPkgId, &rcvAppId, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
+ }, "tcsm28b", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52c_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52c_app";
+ const char *const sm_pkg_id = "sm_test_52c_pkg";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+
+ Api::install(requestInst);
+
+ std::string smackLabel = generateAppLabel(sm_app_id);
+
+ clientTestTemplate([&] (int, pid_t pid) {
+ std::string rcvPkgId;
+ Api::getPkgIdByPid(pid, &rcvPkgId, nullptr);
+ RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
+ << "; expected = " << sm_pkg_id);
+ }, "tcsm28c", smackLabel);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_CHILD_TEST(security_manager_52d_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52d_app";
+ const char *const sm_pkg_id = "sm_test_52d_pkg";
- // check trusted path label
- nftw_expected_label = trusted_label;
- nftw_expected_transmute = true;
- nftw_expected_exec = false;
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
- // check labels
- result = nftw(provider.getTrustedDir().c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
- RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << SM_TRUSTED_PATH);
+ Api::install(requestInst);
- // check rules
- check_exact_access("System", trusted_label, system_access);
- check_exact_access("User", trusted_label, system_access);
- check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, trusted_access);
- check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
+ std::string smackLabel = generateAppLabel(sm_app_id);
- // install trusted app
- InstallRequest trustedApp;
- trustedApp.setAppId(user.getAppId());
- trustedApp.setPkgId(user.getPkgId());
- trustedApp.setAuthorId(author_id);
- Api::install(trustedApp);
+ clientTestTemplate([&] (int, pid_t pid) {
+ std::string rcvAppId;
+ Api::getPkgIdByPid(pid, nullptr, &rcvAppId);
+ RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
+ << "; expected = " << sm_app_id);
+ }, "tcsm28d", smackLabel);
- // check rules
- check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
- check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
- // install untrusted app
- InstallRequest untrustedApp;
- untrustedApp.setAppId(untrusted.getAppId());
- untrustedApp.setPkgId(untrusted.getPkgId());
- Api::install(untrustedApp);
+ Api::uninstall(requestUninst);
+}
- // check rules
- check_exact_access(generateAppLabel(untrusted.getAppId()), trusted_label, "");
- check_exact_access(generatePkgLabel(untrusted.getPkgId()), trusted_label, "");
+RUNNER_CHILD_TEST(security_manager_52e_get_id_by_pid)
+{
+ const char *const sm_app_id = "sm_test_52e_app";
+ const char *const sm_pkg_id = "sm_test_52e_pkg";
- // uninstall trusting app
- Api::uninstall(trustingApp);
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
- // there's still one app with author id, rules should be kept
- check_exact_access("System", trusted_label, system_access);
- check_exact_access("User", trusted_label, system_access);
- check_exact_access(generateAppLabel(provider.getAppId()), trusted_label, "");
- check_exact_access(generatePkgLabel(provider.getPkgId()), trusted_label, "");
- check_exact_access(generateAppLabel(user.getAppId()), trusted_label, trusted_access);
- check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+ Api::install(requestInst);
- Api::uninstall(trustedApp);
+ std::string smackLabel = generateAppLabel(sm_app_id);
- // no more apps with author id
- check_exact_access("System", trusted_label, "");
- check_exact_access("User", trusted_label, "");
- check_exact_access(generateAppLabel(user.getAppId()), trusted_label, "");
- check_exact_access(generatePkgLabel(user.getPkgId()), trusted_label, "");
+ clientTestTemplate([&] (int sock, pid_t) {
+ Api::getPkgIdByPid(sock, nullptr, nullptr, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ }, "tcsm28e", smackLabel);
- Api::uninstall(untrustedApp);
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
}
+RUNNER_CHILD_TEST(security_manager_53_app_has_privilege)
+{
+ const char *const sm_app_id = "sm_test_53_app";
+ const char *const sm_pkg_id = "sm_test_53_pkg";
+ const std::string new_user_name = "sm_test_47_user_name";
-RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ for (auto const &privilege : SM_ALLOWED_PRIVILEGES)
+ requestInst.addPrivilege(privilege.c_str());
+ Api::install(requestInst);
+
+ for (auto const &privilege : SM_ALLOWED_PRIVILEGES) {
+ int result;
+ Api::appHasPrivilege(sm_app_id, privilege.c_str(), getGlobalUserId(), result);
+ RUNNER_ASSERT_MSG(result == 1, "Application " << sm_app_id <<
+ " should have access to privilege " << privilege);
+ }
+
+ for (auto const &privilege : SM_DENIED_PRIVILEGES) {
+ int result;
+ Api::appHasPrivilege(sm_app_id, privilege.c_str(), getGlobalUserId(), result);
+ RUNNER_ASSERT_MSG(result == 0, "Application " << sm_app_id <<
+ " should not have access to privilege " << privilege);
+ }
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+ Api::uninstall(requestUninst);
+}
+
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_INSTALL_TYPE)
+
+RUNNER_TEST(security_manager_49a_global_user_set_install_type_global)
{
- AppInstallHelper help("app44");
- help.createInstallDir();
- help.createTrustedDir();
+ const char *const sm_app_id = "sm_test_49a_app_id_global";
+ const char *const sm_pkg_id = "sm_test_49a_pkg_id_global";
- // install app with shared/trusted dir but without authors id
- InstallRequest app;
- app.setAppId(help.getAppId());
- app.setPkgId(help.getPkgId());
- app.addPath(help.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
- Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_GLOBAL);
+
+ Api::install(requestInst);
+
+ // Check records in the security-manager database
+ check_app_after_install(sm_app_id, sm_pkg_id);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+
+ // Check records in the security-manager database
+ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
}
-class ProcessCredentials {
-public:
- ProcessCredentials(const std::string &smackLabel) : m_label(smackLabel) {}
+RUNNER_TEST(security_manager_49b_global_user_set_install_type_local)
+{
+ const char *const sm_app_id = "sm_test_49b_app_id_local";
+ const char *const sm_pkg_id = "sm_test_49b_pkg_id_local";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_LOCAL);
+
+ Api::install(requestInst, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
+}
+
+RUNNER_TEST(security_manager_49c_global_user_set_install_type_preloaded)
+{
+ const char *const sm_app_id = "sm_test_49c_app_id_preloaded";
+ const char *const sm_pkg_id = "sm_test_49c_pkg_id_preloaded";
+
+ InstallRequest requestInst;
+ requestInst.setAppId(sm_app_id);
+ requestInst.setPkgId(sm_pkg_id);
+ requestInst.setInstallType(SM_APP_INSTALL_PRELOADED);
+
+ Api::install(requestInst);
+
+ // Check records in the security-manager database
+ check_app_after_install(sm_app_id, sm_pkg_id);
+
+ InstallRequest requestUninst;
+ requestUninst.setAppId(sm_app_id);
+
+ Api::uninstall(requestUninst);
+
+ // Check records in the security-manager database
+ check_app_after_uninstall(sm_app_id, sm_pkg_id, TestSecurityManagerDatabase::REMOVED);
+}
+
+RUNNER_CHILD_TEST(security_manager_49d_local_user_set_install_type_global)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49d_app_id_global";
+ const char *const sm_pkg_id = "sm_test_49d_pkg_id_global";
+ const std::string new_user_name = "sm_test_49d_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_GLOBAL);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ /*
+ * It is possible for local user to install global application but one needs app_install privileges
+ * By default only global user or root can install global apps
+ */
+ Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+RUNNER_CHILD_TEST(security_manager_49e_local_user_set_install_type_local)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49e_app_id_local";
+ const char *const sm_pkg_id = "sm_test_49e_pkg_id_local";
+ const std::string new_user_name = "sm_test_49e_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_LOCAL);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ Api::install(requestPrivateUser);
+
+ check_app_permissions(sm_app_id, sm_pkg_id,
+ uidToStr(testUser.getUid()).c_str(),
+ SM_ALLOWED_PRIVILEGES, SM_DENIED_PRIVILEGES);
+
+ //uninstall app as non-root user
+ InstallRequest request;
+ request.setAppId(sm_app_id);
+
+ Api::uninstall(request);
+
+ check_app_permissions(sm_app_id, sm_pkg_id,
+ uidToStr(testUser.getUid()).c_str(),
+ SM_NO_PRIVILEGES, SM_ALLOWED_PRIVILEGES);
+}
+
+RUNNER_CHILD_TEST(security_manager_49f_local_user_set_install_type_preloaded)
+{
+ int result;
+ const char *const sm_app_id = "sm_test_49f_app_id_preloaded";
+ const char *const sm_pkg_id = "sm_test_49f_pkg_id_preloaded";
+ const std::string new_user_name = "sm_test_49f_user_name";
+
+ TemporaryTestUser testUser(new_user_name, GUM_USERTYPE_NORMAL, false);
+ testUser.create();
+
+ removeTestDirs(testUser, sm_app_id, sm_pkg_id);
+ createTestDirs(testUser, sm_app_id, sm_pkg_id);
+
+ const std::string userAppDirPath = appDirPath(testUser, sm_app_id, sm_pkg_id);
+
+ //switch user to non-root
+ result = drop_root_privileges(testUser.getUid(), testUser.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ InstallRequest requestPrivateUser;
+ prepare_request(requestPrivateUser, sm_app_id, sm_pkg_id,
+ SECURITY_MANAGER_PATH_RW, userAppDirPath.c_str(),
+ false);
+
+ requestPrivateUser.setInstallType((app_install_type)0, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType((app_install_type)22, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ requestPrivateUser.setInstallType(SM_APP_INSTALL_PRELOADED);
+
+ for (auto &privilege : SM_ALLOWED_PRIVILEGES)
+ requestPrivateUser.addPrivilege(privilege.c_str());
+
+ /*
+ * It is possible for local user to install preloaded application but one needs app_install privileges
+ * By default only global user or root can install preloaded apps
+ */
+ Api::install(requestPrivateUser, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
+
+RUNNER_TEST(security_manager_50_app_install_constraint_check)
+{
+ auto install = [](const TemporaryTestUser& user,
+ const char *pkgId,
+ const char *appId,
+ const char *version,
+ const char *author,
+ enum lib_retcode expected,
+ bool uninstall = true)
+ {
+ InstallRequest request;
+ request.setAppId(appId);
+ request.setPkgId(pkgId);
+ request.setAppTizenVersion(version);
+ request.setAuthorId(author);
+ request.setUid(user.getUid());
+
+ Api::install(request, expected);
+
+ if(expected == SECURITY_MANAGER_SUCCESS) {
+ // TODO add verification once check_app_after_install() supports uid
+ // check_app_after_install(appId, pkgId);
+ if(uninstall)
+ Api::uninstall(request);
+ }
+ };
+
+ std::vector<TemporaryTestUser> users = {
+ {"sm_test_50_user_name_0", GUM_USERTYPE_NORMAL, false},
+ {"sm_test_50_user_name_1", GUM_USERTYPE_NORMAL, false}
+ };
- const std::string &label(void) const {
- return m_label;
- }
+ for(auto& gu : users)
+ gu.create();
+
+ const char *const pkgId[] = {"sm_test_50_pkg_id_0", "sm_test_50_pkg_id_1"};
+ const char *const appId[] = {"sm_test_50_app_id_0", "sm_test_50_app_id_1"};
+ const char *const version[] = {"sm_test_50_version_0", "sm_test_50_version_1"};
+ const char *const author[] = {"sm_test_50_author_0", "sm_test_50_author_1"};
+
+ // uid_0, pkg_0, app_0, version_0, author_0
+ install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
+
+ // uid_1, pkg_0, app_0, version_0, author_0 -> ok (different uid)
+ install(users[1], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS);
+ // uid_1, pkg_0, app_0, version_0, author_1 -> fail (author of app_0 must be the same)
+ install(users[1], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_0, app_0, version_1, author_0 -> fail (version of app_0 must be the same)
+ install(users[1], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_1, pkg_1, app_0, version_0, author_0 -> fail (pkg of app_0 must be the same)
+ install(users[1], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_0, author_0 -> ok (the same app again)
+ install(users[0], pkgId[0], appId[0], version[0], author[0], SECURITY_MANAGER_SUCCESS, false);
+ // uid_0, pkg_1, app_0, version_0, author_0 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[1], appId[0], version[0], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_1, author_0 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[0], appId[0], version[1], author[0], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ // uid_0, pkg_0, app_0, version_0, author_1 -> fail (app_name + uid must be unique)
+ install(users[0], pkgId[0], appId[0], version[0], author[1], SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
- uid_t uid(void) const {
- return tzplatform_getuid(TZ_SYS_GLOBALAPP_USER);
- }
+RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_REGISTER_PATH)
- gid_t gid(void) const {
- return PasswdAccess::gid("users");
- }
+RUNNER_TEST(security_manager_54_path_req_no_pkg)
+{
+ const char *const sm_app_id = "sm_test_54_app_id";
+ const char *const sm_pkg_id = "sm_test_54_pkg_id";
-private:
- std::string m_label;
-};
+ TemporaryTestUser user("sm_test_54_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
-pid_t runInChild(const std::function<void(void)> &process) {
- pid_t pid = fork();
- RUNNER_ASSERT_ERRNO_MSG(pid >= 0, "fork failed");
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- if (pid == 0) {
- process();
- exit(EXIT_SUCCESS);
- }
+ PathsRequest req;
+ req.setPkgId("non-existing-pkg-id");
+ req.setUid(user.getUid());
+ req.addPath(path, SECURITY_MANAGER_PATH_RW);
- return pid;
+ Api::registerPaths(req, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
}
-void udsServer(SynchronizationPipe &pipe, const struct sockaddr_un &sockaddr,
- const struct ProcessCredentials &peerCredentials) {
- SecurityServer::AccessProvider ap(peerCredentials.label());
- ap.applyAndSwithToUser(peerCredentials.uid(), peerCredentials.gid());
- pipe.claimChildEp();
+RUNNER_TEST(security_manager_55_path_req_empty_pkg)
+{
+ const char *const sm_app_id = "sm_test_55_app_id";
+ const char *const sm_pkg_id = "sm_test_55_pkg_id";
- int sock = UDSHelpers::createServer(&sockaddr);
- SockUniquePtr sockPtr(&sock);
- pipe.post();
- int clientSock = UDSHelpers::acceptClient(sock);
+ TemporaryTestUser user("sm_test_55_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- UDSHelpers::waitForDisconnect(clientSock);
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ PathsRequest req;
+ req.setPkgId("");
+ req.setUid(user.getUid());
+ req.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(req, (lib_retcode)SECURITY_MANAGER_ERROR_REQ_NOT_COMPLETE);
}
-typedef std::function<void(int sock, pid_t pid)> SocketAssertionFn;
+RUNNER_TEST(security_manager_56_path_req_wrong_type)
+{
+ PathsRequest req;
+ req.setInstallType(SM_APP_INSTALL_END,
+ (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+ req.setInstallType((app_install_type)(SM_APP_INSTALL_NONE-1),
+ (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
+}
-void clientTestTemplate(SocketAssertionFn assertion, const std::string &scope, const std::string &smackLabel) {
- const auto sockaddr = UDSHelpers::makeAbstractAddress("test_sm_" + scope + ".socket");
- const ProcessCredentials peerCredentials(smackLabel);
+RUNNER_TEST(security_manager_57_path_req_wrong_uid)
+{
+ const char *const sm_app_id = "sm_test_57_app_id";
+ const char *const sm_pkg_id = "sm_test_57_pkg_id";
- SynchronizationPipe pipe;
+ TemporaryTestUser user("sm_test_57_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- pid_t pid = runInChild(std::bind(udsServer, std::ref(pipe), std::cref(sockaddr),
- std::cref(peerCredentials)));
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- pipe.claimParentEp();
- pipe.wait();
- int sock = UDSHelpers::createClient(&sockaddr);
- SockUniquePtr sockPtr(&sock);
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
- assertion(sock, pid);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(-1);
+ preq.setInstallType(SM_APP_INSTALL_LOCAL);
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_SERVER_ERROR);
}
-RUNNER_CHILD_TEST(security_manager_45a_get_id_by_socket)
+RUNNER_TEST(security_manager_58_path_req_empty_paths)
{
- const char *const sm_app_id = "sm_test_45a_app";
- const char *const sm_pkg_id = "sm_test_45a_pkg";
+ const char *const sm_app_id = "sm_test_58_app_id";
+ const char *const sm_pkg_id = "sm_test_58_pkg_id";
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ TemporaryTestUser user("sm_test_58_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
- Api::install(requestInst);
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
- std::string smackLabel = generateAppLabel(sm_app_id);
+ PathsRequest req;
+ req.setPkgId(sm_pkg_id);
+ req.setUid(user.getUid());
+ Api::registerPaths(req);
+}
- clientTestTemplate([&] (int sock, pid_t) {
- std::string rcvPkgId, rcvAppId;
- Api::getPkgIdBySocket(sock, &rcvPkgId, &rcvAppId);
- RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
- << "; expected = " << sm_pkg_id);
- RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
- << "; expected = " << sm_app_id);
- }, "tcsm27a", smackLabel);
+RUNNER_TEST(security_manager_59_path_req_as_root_positive)
+{
+ const char *const sm_app_id = "sm_test_59_app_id";
+ const char *const sm_pkg_id = "sm_test_59_pkg_id";
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ TemporaryTestUser user("sm_test_59_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- Api::uninstall(requestUninst);
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
+
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
}
-RUNNER_CHILD_TEST(security_manager_45b_get_id_by_socket)
+RUNNER_CHILD_TEST(security_manager_60_path_req_as_user_positive)
{
- const char *const sm_app_id = "sm_test_45b_app";
- const char *const sm_pkg_id = "sm_test_45b_pkg";
+ const char *const sm_app_id = "sm_test_60_app_id";
+ const char *const sm_pkg_id = "sm_test_60_pkg_id";
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ TemporaryTestUser user("sm_test_60_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- Api::install(requestInst);
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- std::string smackLabel = generateAppLabel(sm_app_id);
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
- clientTestTemplate([&] (int sock, pid_t) {
- std::string rcvPkgId, rcvAppId;
- Api::getPkgIdBySocket(sock + 1, &rcvPkgId, &rcvAppId, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
- }, "tcsm27b", smackLabel);
+ int result = drop_root_privileges(user.getUid(), user.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
- Api::uninstall(requestUninst);
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
}
-RUNNER_CHILD_TEST(security_manager_45c_get_id_by_socket)
+RUNNER_CHILD_TEST(security_manager_61_path_req_different_user)
{
- const char *const sm_app_id = "sm_test_45c_app";
- const char *const sm_pkg_id = "sm_test_45c_pkg";
+ const char *const sm_app_id = "sm_test_61_app_id";
+ const char *const sm_pkg_id = "sm_test_61_pkg_id";
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ TemporaryTestUser user1("sm_test_61_1_user_name", GUM_USERTYPE_NORMAL, false);
+ user1.create();
+ TemporaryTestUser user2("sm_test_61_2_user_name", GUM_USERTYPE_NORMAL, false);
+ user2.create();
- Api::install(requestInst);
+ std::string path = appDirPath(user2, sm_app_id, sm_pkg_id);
- std::string smackLabel = generateAppLabel(sm_app_id);
+ removeTestDirs(user2, sm_app_id, sm_pkg_id);
+ createTestDirs(user2, sm_app_id, sm_pkg_id);
- clientTestTemplate([&] (int sock, pid_t) {
- std::string rcvPkgId;
- Api::getPkgIdBySocket(sock, &rcvPkgId, nullptr);
- RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
- << "; expected = " << sm_pkg_id);
- }, "tcsm27c", smackLabel);
+ install_app(sm_app_id, sm_pkg_id, user2.getUid());
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ int result = drop_root_privileges(user1.getUid(), user1.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
- Api::uninstall(requestUninst);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user2.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
}
-RUNNER_CHILD_TEST(security_manager_45d_get_id_by_socket)
+void testPathOutside(const std::string& pkgId, uid_t uid, const std::string& path)
{
- const char *const sm_app_id = "sm_test_45d_app";
- const char *const sm_pkg_id = "sm_test_45d_pkg";
+ PathsRequest preq;
+ preq.setPkgId(pkgId);
+ preq.setUid(uid);
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
- Api::install(requestInst);
+RUNNER_TEST(security_manager_62_path_req_path_outside)
+{
+ const char *const sm_app_id = "sm_test_62_app_id";
+ const char *const sm_pkg_id = "sm_test_62_pkg_id";
- std::string smackLabel = generateAppLabel(sm_app_id);
+ TemporaryTestUser user1("sm_test_62_1_user_name", GUM_USERTYPE_NORMAL, false);
+ user1.create();
+ TemporaryTestUser user2("sm_test_62_2_user_name", GUM_USERTYPE_NORMAL, false);
+ user2.create();
- clientTestTemplate([&] (int sock, pid_t) {
- std::string rcvAppId;
- Api::getPkgIdBySocket(sock, nullptr, &rcvAppId);
- RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
- << "; expected = " << sm_app_id);
- }, "tcsm27d", smackLabel);
+ install_app(sm_app_id, sm_pkg_id, user1.getUid());
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ removeTestDirs(user1, sm_app_id, sm_pkg_id);
+ removeTestDirs(user2, sm_app_id, sm_pkg_id);
+ createTestDirs(user1, sm_app_id, sm_pkg_id);
+ createTestDirs(user2, sm_app_id, sm_pkg_id);
- Api::uninstall(requestUninst);
+ testPathOutside(sm_pkg_id, user1.getUid(), appDirPath(user2, sm_app_id, sm_pkg_id));
+ testPathOutside(sm_pkg_id, user1.getUid(), appDirPath(user1, sm_app_id, "sm_test_62_non_existing_pkg_id"));
+ testPathOutside(sm_pkg_id, user1.getUid(), std::string("/home/") + user1.getUserName());
}
-RUNNER_CHILD_TEST(security_manager_45e_get_id_by_socket)
-{
- const char *const sm_app_id = "sm_test_45e_app";
- const char *const sm_pkg_id = "sm_test_45e_pkg";
+void testPathsReqAsUser(const enum app_install_type &type, lib_retcode expectedResult) {
+ const char *const sm_app_id = "sm_test_63_app_id";
+ const char *const sm_pkg_id = "sm_test_63_pkg_id";
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ TemporaryTestUser user("sm_test_63_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- Api::install(requestInst);
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- std::string smackLabel = generateAppLabel(sm_app_id);
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
- clientTestTemplate([&] (int sock, pid_t) {
- Api::getPkgIdBySocket(sock, nullptr, nullptr, SECURITY_MANAGER_ERROR_INPUT_PARAM);
- }, "tcsm27e", smackLabel);
+ int result = drop_root_privileges(user.getUid(), user.getGid());
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.setInstallType(type);
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
- Api::uninstall(requestUninst);
+ Api::registerPaths(preq, expectedResult);
}
-RUNNER_CHILD_TEST(security_manager_46a_get_id_by_pid)
+RUNNER_CHILD_TEST(security_manager_63a_path_req_as_user)
{
- const char *const sm_app_id = "sm_test_46a_app";
- const char *const sm_pkg_id = "sm_test_46a_pkg";
+ testPathsReqAsUser(SM_APP_INSTALL_GLOBAL,
+ (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+RUNNER_CHILD_TEST(security_manager_63b_path_req_preloaded_as_user)
+{
+ testPathsReqAsUser(SM_APP_INSTALL_PRELOADED,
+ (lib_retcode)SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
+}
- Api::install(requestInst);
+void testPathsReqLocal(uid_t uid, gid_t gid)
+{
+ const char *const sm_app_id = "sm_test_64_app_id";
+ const char *const sm_pkg_id = "sm_test_64_pkg_id";
- std::string smackLabel = generateAppLabel(sm_app_id);
+ TemporaryTestUser user("sm_test_64_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- clientTestTemplate([&] (int, pid_t pid) {
- std::string rcvPkgId, rcvAppId;
- Api::getPkgIdByPid(pid, &rcvPkgId, &rcvAppId);
- RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
- << "; expected = " << sm_pkg_id);
- RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
- << "; expected = " << sm_app_id);
- }, "tcsm28a", smackLabel);
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
- Api::uninstall(requestUninst);
+ int result = drop_root_privileges(uid, gid);
+ RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.setInstallType(SM_APP_INSTALL_LOCAL);
+ preq.addPath(path, SECURITY_MANAGER_PATH_RW);
+
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
}
-RUNNER_CHILD_TEST(security_manager_46b_get_id_by_pid)
+
+RUNNER_CHILD_TEST(security_manager_64a_path_req_as_local_as_root)
{
- const char *const sm_app_id = "sm_test_46b_app";
- const char *const sm_pkg_id = "sm_test_46b_pkg";
+ testPathsReqLocal(0, 0);
+}
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+RUNNER_CHILD_TEST(security_manager_64b_path_req_as_local_asuser)
+{
+ testPathsReqLocal(getGlobalUserId(), getGlobalGroupId());
+}
- Api::install(requestInst);
+RUNNER_TEST(security_manager_66_path_req_check_labels)
+{
+ const char *const sm_app_id = "sm_test_66_app_id_full";
+ const char *const sm_pkg_id = "sm_test_66_pkg_id_full";
- std::string smackLabel = generateAppLabel(sm_app_id);
+ std::string SM_RW_PATH = genRWPath(66);
+ std::string SM_RO_PATH = genROPath(66);
+ std::string SM_PUBLIC_RO_PATH = genPublicROPath(66);
- clientTestTemplate([&] (int, pid_t pid) {
- std::string rcvPkgId, rcvAppId;
- Api::getPkgIdByPid(pid + 1, &rcvPkgId, &rcvAppId, SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT);
- }, "tcsm28b", smackLabel);
+ prepare_app_env(66);
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ install_app(sm_app_id, sm_pkg_id);
- Api::uninstall(requestUninst);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.addPath(SM_RW_PATH, SECURITY_MANAGER_PATH_RW);
+ preq.addPath(SM_RO_PATH, SECURITY_MANAGER_PATH_RO);
+ preq.addPath(SM_PUBLIC_RO_PATH, SECURITY_MANAGER_PATH_PUBLIC_RO);
+ Api::registerPaths(preq);
+
+ uninstall_app(sm_app_id, sm_pkg_id, true);
}
-RUNNER_CHILD_TEST(security_manager_46c_get_id_by_pid)
+RUNNER_TEST(security_manager_67_path_req_shared_ro_3_0)
{
- const char *const sm_app_id = "sm_test_46c_app";
- const char *const sm_pkg_id = "sm_test_46c_pkg";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ const char *const sm_app_id = "sm_test_67_app_id";
+ const char *const sm_pkg_id = "sm_test_67_pkg_id";
- Api::install(requestInst);
+ TemporaryTestUser user("sm_test_67_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- std::string smackLabel = generateAppLabel(sm_app_id);
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- clientTestTemplate([&] (int, pid_t pid) {
- std::string rcvPkgId;
- Api::getPkgIdByPid(pid, &rcvPkgId, nullptr);
- RUNNER_ASSERT_MSG(rcvPkgId == sm_pkg_id, "pkgIds don't match ret = " << rcvPkgId
- << "; expected = " << sm_pkg_id);
- }, "tcsm28c", smackLabel);
+ InstallRequest ireq;
+ ireq.setAppId(sm_app_id);
+ ireq.setPkgId(sm_pkg_id);
+ ireq.setUid(user.getUid());
+ ireq.setAppTizenVersion("3.0");
+ Api::install(ireq);
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
- Api::uninstall(requestUninst);
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_SUCCESS);
}
-RUNNER_CHILD_TEST(security_manager_46d_get_id_by_pid)
+RUNNER_TEST(security_manager_68_path_req_shared_ro_2_X)
{
- const char *const sm_app_id = "sm_test_46d_app";
- const char *const sm_pkg_id = "sm_test_46d_pkg";
+ const char *const sm_app_id = "sm_test_68_app_id";
+ const char *const sm_pkg_id = "sm_test_68_pkg_id";
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ TemporaryTestUser user("sm_test_68_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- Api::install(requestInst);
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- std::string smackLabel = generateAppLabel(sm_app_id);
+ InstallRequest ireq;
+ ireq.setAppId(sm_app_id);
+ ireq.setPkgId(sm_pkg_id);
+ ireq.setUid(user.getUid());
+ ireq.setAppTizenVersion("2.4");
+ Api::install(ireq);
- clientTestTemplate([&] (int, pid_t pid) {
- std::string rcvAppId;
- Api::getPkgIdByPid(pid, nullptr, &rcvAppId);
- RUNNER_ASSERT_MSG(rcvAppId == sm_app_id, "appIds don't match ret = " << rcvAppId
- << "; expected = " << sm_app_id);
- }, "tcsm28d", smackLabel);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ Api::registerPaths(preq);
- Api::uninstall(requestUninst);
+ // check labels
+ nftw_expected_label = generatePkgLabel(sm_pkg_id) + "::SharedRO";
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+ int result = nftw(path.c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << path);
}
-RUNNER_CHILD_TEST(security_manager_46e_get_id_by_pid)
+RUNNER_TEST(security_manager_69_path_req_trusted_rw_no_author)
{
- const char *const sm_app_id = "sm_test_46e_app";
- const char *const sm_pkg_id = "sm_test_46e_pkg";
-
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
+ const char *const sm_app_id = "sm_test_69_app_id";
+ const char *const sm_pkg_id = "sm_test_69_pkg_id";
- Api::install(requestInst);
+ TemporaryTestUser user("sm_test_69_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- std::string smackLabel = generateAppLabel(sm_app_id);
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- clientTestTemplate([&] (int sock, pid_t) {
- Api::getPkgIdByPid(sock, nullptr, nullptr, SECURITY_MANAGER_ERROR_INPUT_PARAM);
- }, "tcsm28e", smackLabel);
+ install_app(sm_app_id, sm_pkg_id, user.getUid());
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_TRUSTED_RW);
- Api::uninstall(requestUninst);
+ Api::registerPaths(preq, (lib_retcode)SECURITY_MANAGER_ERROR_INPUT_PARAM);
}
-RUNNER_CHILD_TEST(security_manager_47_app_has_privilege)
+RUNNER_TEST(security_manager_70_path_req_trusted_rw_positive)
{
- const char *const sm_app_id = "sm_test_47_app";
- const char *const sm_pkg_id = "sm_test_47_pkg";
- const std::string new_user_name = "sm_test_47_user_name";
+ const char *const sm_app_id = "sm_test_70_app_id";
+ const char *const sm_pkg_id = "sm_test_70_pkg_id";
+ const char *const author_id = "sm_test_70_author_id";
- InstallRequest requestInst;
- requestInst.setAppId(sm_app_id);
- requestInst.setPkgId(sm_pkg_id);
- for (auto const &privilege : SM_ALLOWED_PRIVILEGES)
- requestInst.addPrivilege(privilege.c_str());
- Api::install(requestInst);
+ TemporaryTestUser user("sm_test_70_user_name", GUM_USERTYPE_NORMAL, false);
+ user.create();
+ std::string path = appDirPath(user, sm_app_id, sm_pkg_id);
- for (auto const &privilege : SM_ALLOWED_PRIVILEGES) {
- int result;
- Api::appHasPrivilege(sm_app_id, privilege.c_str(), getGlobalUserId(), result);
- RUNNER_ASSERT_MSG(result == 1, "Application " << sm_app_id <<
- " should have access to privilege " << privilege);
- }
+ removeTestDirs(user, sm_app_id, sm_pkg_id);
+ createTestDirs(user, sm_app_id, sm_pkg_id);
- for (auto const &privilege : SM_DENIED_PRIVILEGES) {
- int result;
- Api::appHasPrivilege(sm_app_id, privilege.c_str(), getGlobalUserId(), result);
- RUNNER_ASSERT_MSG(result == 0, "Application " << sm_app_id <<
- " should not have access to privilege " << privilege);
- }
+ InstallRequest ireq;
+ ireq.setAppId(sm_app_id);
+ ireq.setPkgId(sm_pkg_id);
+ ireq.setUid(user.getUid());
+ ireq.setAuthorId(author_id);
+ Api::install(ireq);
- InstallRequest requestUninst;
- requestUninst.setAppId(sm_app_id);
- Api::uninstall(requestUninst);
+ PathsRequest preq;
+ preq.setPkgId(sm_pkg_id);
+ preq.setUid(user.getUid());
+ preq.addPath(path, SECURITY_MANAGER_PATH_TRUSTED_RW);
+
+ Api::registerPaths(preq);
+
+ // check labels
+ TestSecurityManagerDatabase dbtest;
+ int64_t authorDb = dbtest.get_author_id(author_id);
+ nftw_expected_label = std::string("User::Author::") + std::to_string(authorDb);
+ nftw_expected_transmute = true;
+ nftw_expected_exec = false;
+ int result = nftw(path.c_str(), &nftw_check_sm_labels, FTW_MAX_FDS, FTW_PHYS);
+ RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << path);
}
int main(int argc, char *argv[])