${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/policy_configuration.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_api.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_commons.cpp
- ${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_db.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_label_monitor.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_request.cpp
${PROJECT_SOURCE_DIR}/src/security-manager-tests/common/sm_sharing_request.cpp
return result;
}
+PolicyConfiguration::PrivGroupMap PolicyConfiguration::getPrivGroupMap()
+{
+ if (m_privGroupMap.empty())
+ loadPrivGroupMap();
+ return m_privGroupMap;
+}
+
bool PolicyConfiguration::getIsAskuserEnabled() {
#ifdef ASKUSER_ENABLED
return true;
typedef std::vector<gid_t> GidVector;
typedef std::vector<std::string> GroupVector;
typedef std::vector<std::string> PrivVector;
+ typedef std::map<std::string, std::string> PrivGroupMap;
struct UserDescription {
PrivVector privVector;
GroupVector getGroup();
UserDescription& getUserDescription(UserType userType);
gid_t groupToGid(const std::string &gname);
+ PrivGroupMap getPrivGroupMap();
+ GroupVector privToGroup(const PrivVector &privVector);
static bool getIsAskuserEnabled();
GidVector groupToGid(const GroupVector &groupVector);
UserDescription loadUserDescription(UserType userType);
PrivVector loadPrivFile(const std::string &path);
- GroupVector privToGroup(const PrivVector &privVector);
void loadPrivGroupMap(void);
- std::map<std::string, std::string> m_privGroupMap;
+ PrivGroupMap m_privGroupMap;
std::map<std::string, gid_t> m_groupGidMap;
std::map<UserType, UserDescription> m_userDescriptionMap;
};
#include <app_install_helper.h>
#include <memory.h>
-#include <sm_db.h>
#include <sm_request.h>
#include <sm_api.h>
#include <temp_test_user.h>
#include <vector>
#include <security-manager-types.h>
+#include <app-runtime.h>
#include <sys/smack.h>
#include <cynara_test_client.h>
#include <memory.h>
#include <sm_api.h>
#include <sm_commons.h>
-#include <sm_db.h>
#include <synchronization_pipe.h>
#include <sm_request.h>
#include <tests_common.h>
+#include <policy_configuration.h>
#include "tzplatform.h"
using namespace SecurityManagerTest;
-// Common const values
-
-const std::vector<std::string> SM_ALLOWED_GROUPS = {"db_browser", "db_alarm"};
-
// Common implementation details
std::string generateProcessLabel(const std::string &appId, const std::string &pkgId, bool isHybrid)
}
}
+static void check_app(const std::string &appId, const std::string &pkgId, bool shouldBeInstalled)
+{
+ char *retPkgId;
+ int ret = security_manager_get_app_pkgid(&retPkgId, appId.c_str());
+
+ if (shouldBeInstalled) {
+ RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_SUCCESS, "The given appId is not installed.");
+
+ if (ret == SECURITY_MANAGER_SUCCESS) {
+ CStringPtr retPkgIdPtr(retPkgId);
+ RUNNER_ASSERT_MSG(strcmp(pkgId.c_str(), retPkgId) == 0,
+ "The given appId does not belong to the given pkgId.");
+ }
+ } else {
+ RUNNER_ASSERT_MSG(ret == SECURITY_MANAGER_ERROR_NO_SUCH_OBJECT, "The given appId is installed.");
+ }
+}
+
void check_app_after_install(const std::string &app_id, const std::string &pkg_id)
{
- TestSecurityManagerDatabase dbtest;
- dbtest.test_db_after__app_install(app_id, pkg_id);
+ check_app(app_id, pkg_id, true);
}
static void check_app_gids(const std::string &app_id, const std::vector<gid_t> &allowed_gids)
void check_app_after_install(const std::string &app_id, const std::string &pkg_id,
const privileges_t &allowed_privs,
const privileges_t &denied_privs,
- const std::vector<std::string> &allowed_groups,
bool isHybrid)
{
- TestSecurityManagerDatabase dbtest;
- dbtest.test_db_after__app_install(app_id, pkg_id);
+ check_app(app_id, pkg_id, true);
- /*Privileges should be granted to all users if root installs app*/
+ /* Privileges should be granted to all users if root installs app */
check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, allowed_privs, denied_privs, isHybrid);
- /* Setup mapping of gids to privileges */
- /* Do this for each privilege for extra check */
- for (const auto &privilege : allowed_privs) {
- dbtest.setup_privilege_groups(privilege, allowed_groups);
- }
+ PolicyConfiguration policy;
+ const PolicyConfiguration::GroupVector allowed_groups = policy.privToGroup(allowed_privs);
+ RUNNER_ASSERT_MSG(allowed_groups.size() == allowed_privs.size(),
+ "Some privileges given were not found in the policy");
std::vector<gid_t> allowed_gids;
-
for (const auto &groupName : allowed_groups) {
errno = 0;
struct group* grp = getgrnam(groupName.c_str());
RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for " << path);
}
-void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
- const bool is_pkg_removed)
+void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id)
{
- TestSecurityManagerDatabase dbtest;
- dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
+ check_app(app_id, pkg_id, false);
}
void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
- const privileges_t &privileges, const bool is_pkg_removed,
- bool isHybrid)
+ const privileges_t &privileges, bool isHybrid)
{
- TestSecurityManagerDatabase dbtest;
- dbtest.test_db_after__app_uninstall(app_id, pkg_id, is_pkg_removed);
-
+ check_app(app_id, pkg_id, false);
- /*Privileges should not be granted anymore to any user*/
+ /* Privileges should not be granted anymore to any user */
check_app_permissions(app_id, pkg_id, ANY_USER_REPRESENTATION, {}, privileges, isHybrid);
}
std::string access_opposite(std::string &access) {
static const std::map<char, int> access_mapping = {{'r', 0}, {'w', 1}, {'x', 2}, {'a', 3},
{'t', 4}, {'l', 5}};
- //May write implies may lock
+ // May write implies may lock
if (access.find('w') != std::string::npos && access.find('l') == std::string::npos) {
access.append("l");
}
#include <app_install_helper.h>
#include <memory.h>
-#include <sm_db.h>
#include <temp_test_user.h>
#include <tzplatform.h>
const int FTW_MAX_FDS = 16;
-extern const std::vector<std::string> SM_ALLOWED_GROUPS;
-
std::string generateProcessLabel(const std::string &appId, const std::string &pkgId, bool isHybrid = false);
std::string generatePathRWLabel(const std::string &pkgId);
std::string generatePathROLabel(const std::string &pkgId);
std::string generatePathTrustedLabel(int64_t authorId);
std::string getPublicPathLabel();
+typedef std::vector<std::string> privileges_t;
+
int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
int /*typeflag*/, struct FTW* /*ftwbuf*/);
void check_app_permissions(const std::string &app_id, const std::string &pkg_id,
void check_app_after_install(const std::string &app_id, const std::string &pkg_id,
const privileges_t &allowed_privs,
const privileges_t &denied_privs,
- const std::vector<std::string> &allowed_groups,
bool isHybrid = false);
void check_path(const std::string &path, const std::string &label,
bool transmute = true, bool execute = false);
+void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id);
void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
- const bool is_pkg_removed);
-void check_app_after_uninstall(const std::string &app_id, const std::string &pkg_id,
- const privileges_t &privileges, const bool is_pkg_removed,
- bool isHybrid = false);
+ const privileges_t &privileges, bool isHybrid = false);
std::string access_opposite(std::string &access);
void check_exact_smack_accesses(const std::string &subject,
+++ /dev/null
-/*
- * Copyright (c) 2014-2016 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
-*/
-
-/*
- * @file sm_db.cpp
- * @author Marcin Lis (m.lis@samsung.com)
- * @version 1.0
- * @brief security-manager tests database record check functions
- */
-
-#include <tests_common.h>
-#include <tzplatform_config.h>
-#include <sstream>
-#include "sm_db.h"
-#include "db_sqlite.h"
-
-/* Keep this consistent with the database file path used in the security-manager */
-const char *const PRIVILEGE_DB_PATH = tzplatform_mkpath(TZ_SYS_DB, ".security-manager.db");
-
-/* Initialize static constants */
-const bool TestSecurityManagerDatabase::NOT_REMOVED = false;
-const bool TestSecurityManagerDatabase::REMOVED = true;
-
-TestSecurityManagerDatabase::TestSecurityManagerDatabase() : m_base(PRIVILEGE_DB_PATH, SQLITE_OPEN_READWRITE)
-{
-}
-
-void TestSecurityManagerDatabase::test_db_after__app_install(const std::string &app_name,
- const std::string &pkg_name)
-{
- if (!m_base.is_open())
- m_base.open();
-
- RUNNER_ASSERT_MSG(!app_name.empty(), "Request is corrupted, appId is empty");
- RUNNER_ASSERT_MSG(!pkg_name.empty(), "Request is corrupted, pkgId is empty");
-
- check_app_and_pkg(app_name, pkg_name, NOT_REMOVED);
-}
-
-void TestSecurityManagerDatabase::test_db_after__app_uninstall(const std::string &app_name,
- const std::string &pkg_name,
- const bool is_pkg_removed)
-{
- if (!m_base.is_open())
- m_base.open();
-
- RUNNER_ASSERT_MSG(!app_name.empty(), "Request is corrupted, appId is empty");
- RUNNER_ASSERT_MSG(!pkg_name.empty(), "Request is corrupted, pkgId is empty");
-
- check_app_and_pkg(app_name, pkg_name, REMOVED);
- check_pkg(pkg_name, is_pkg_removed);
-}
-
-void TestSecurityManagerDatabase::check_app_and_pkg(const std::string &app_name, const std::string &pkg_name,
- const bool is_app_removed)
-{
- Sqlite3DBaseSelectResult result;
- std::ostringstream sql;
- sql << "SELECT app_name, pkg_name FROM user_app_pkg_view"
- " WHERE app_name == '" << app_name << "' "
- " AND pkg_name == '" << pkg_name << "' ;";
- m_base.execute(sql.str(), result);
-
- if (is_app_removed) /* expect 0 results */
- RUNNER_ASSERT_MSG(result.rows.size() == 0, "query : <" << sql.str() <<
- "> returned [" << result.rows.size() << "] rows, expected [0]");
- else /* expect exactly 1 result with 2 columns */
- RUNNER_ASSERT_MSG(result.rows.size() == 1 && result.rows[0].size() == 2, "query : <" <<
- sql.str() << "> returned [" << result.rows.size() << "] rows, expected [1]");
-}
-
-void TestSecurityManagerDatabase::check_pkg(const std::string &pkg_name,
- const bool is_pkg_removed)
-{
- const unsigned expected_rows = is_pkg_removed ? 0 : 1;
- Sqlite3DBaseSelectResult result;
- std::ostringstream sql;
- sql << "SELECT pkg_id FROM pkg"
- " WHERE name == '" << pkg_name << "' ;";
- m_base.execute(sql.str(), result);
-
- RUNNER_ASSERT_MSG(result.rows.size() == expected_rows, "query : <" <<
- sql.str() << "> returned [" << result.rows.size() << "] rows, expected [" <<
- expected_rows << "] rows");
-}
-
-void TestSecurityManagerDatabase::setup_privilege_groups(const std::string &privilege,
- const std::vector<std::string> &groups)
-{
- Sqlite3DBaseSelectResult result;
- std::ostringstream sql;
-
- if (!m_base.is_open())
- m_base.open();
-
- for (const auto &group : groups) {
- sql.clear();
- sql.str("");
- sql << "INSERT OR IGNORE INTO privilege_group (privilege_name, group_name) "
- "VALUES ("
- << "'" << privilege << "'" << ","
- << "'" << group << "'" << ")";
- m_base.execute(sql.str(), result);
- }
-}
-
-int64_t TestSecurityManagerDatabase::get_author_id(const std::string &authorName)
-{
- Sqlite3DBaseSelectResult result;
- std::ostringstream sql;
-
- if (!m_base.is_open())
- m_base.open();
-
- sql.clear();
- sql.str("SELECT author_id FROM author where name=\"" + authorName + "\"");
- m_base.execute(sql.str(), result);
-
- if(result.rows.empty())
- return 0;
-
- std::istringstream os(result.rows[0][0]);
- int64_t id;
- os >> id;
- return id;
-}
-
-std::string TestSecurityManagerDatabase::get_path_label(const std::string &path)
-{
- Sqlite3DBaseSelectResult result;
- std::ostringstream sql;
- if (!m_base.is_open())
- m_base.open();
- sql.clear();
- sql.str("SELECT path_label FROM shared_path WHERE path=\"" + path + "\"");
- m_base.execute(sql.str(), result);
-
- if(result.rows.empty())
- return "";
-
- return result.rows[0][0];
-}
+++ /dev/null
-/*
- * Copyright (c) 2014-2016 Samsung Electronics Co., Ltd All Rights Reserved
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
-*/
-
-/*
- * @file sm_db.h
- * @author Marcin Lis (m.lis@samsung.com)
- * @version 1.0
- * @brief security-manager tests database record check functions
- */
-
-#ifndef SECURITY_MANAGER_TEST_DB_H_
-#define SECURITY_MANAGER_TEST_DB_H_
-
-#include <string>
-#include "db_sqlite.h"
-
-typedef std::vector<std::string> privileges_t;
-
-/**
- * @class TestSecurityManagerDatabase
- * @brief Class containing methods for testing libprivlege database.
- */
-class TestSecurityManagerDatabase
-{
-public:
-/**
- * @brief A usefull constant to indicate that app/pkg should be present in db
- */
- const static bool NOT_REMOVED;
-/**
- * @brief A usefull constant to indicate that app/pkg should not be present in db
- */
- const static bool REMOVED;
-/**
- * @brief A constructor
- */
- TestSecurityManagerDatabase();
-
-/**
- * @brief A destructor
- */
- ~TestSecurityManagerDatabase() = default;
-
-/**
- * @brief Method for testing database after "security_manager_app_install" was run.
- *
- * It checks existence of proper: - app_name
- * - pkg_name
- *
- * @param app_name name of the app previously used in security_manager_app_install.
- * @param pkg_name name of the pkg previously used in security_manager_app_install.
- */
- void test_db_after__app_install(const std::string &app_name, const std::string &pkg_name);
-
-/**
- * @brief Method for testing database after "security_manager_app_uninstall" was run.
- *
- * It checks absence of proper: - app_name
- * - optionally pkg_name
- *
- * @param app_name name of the app previously used in security_manager_app_uninstall.
- * @param pkg_name name of the pkg previously used in security_manager_app_uninstall.
- * @param is_pkg_removed tells if pkg_id is expected to remain in db or not.
- */
- void test_db_after__app_uninstall(const std::string &app_name, const std::string &pkg_name,
- const bool is_pkg_removed);
-
-/**
- * @brief Method for setting privilege to groups mapping in security-manager database
- *
- * @param privilege name of the privilege
- * @param groups vector of group names
- */
- void setup_privilege_groups(const std::string &privilege,
- const std::vector<std::string> &groups);
-
-/**
- * @brief Method for getting author id from database.
- */
- int64_t get_author_id(const std::string &authorName);
-/**
- * @brief Method for path label from database.
- */
- std::string get_path_label(const std::string &path);
-private:
-/**
- * @var base
- * @brief Sqlite3DBase object giving simple access to database
- *
- * Connection to database is open first time it is needed
- * and closed in destructor of TestSecurityManagerDatabase.
- */
- Sqlite3DBase m_base;
-
-/**
- * @brief Check db for [non]existence of given app_name in pkg_name
- *
- * @param app_name name of application
- * @param pkg_name name of package
- * @param is_app_removed tells if app is expected in db
- */
- void check_app_and_pkg(const std::string &app_name, const std::string &pkg_name,
- const bool is_app_removed);
-
-/**
- * @brief Check db for [non]existence of given pkg_name
- *
- * @param pkg_name name of the package
- * @param is_pkg_removed tells if pkg is expected in db
- */
- void check_pkg(const std::string &pkg_name,
- const bool is_pkg_removed);
-};
-
-#endif /* SECURITY_MANAGER_TEST_DB_H_ */
AppInstallHelper app("sm_test_01a_app");
{
ScopedInstaller appInstall(app);
- // FIXME - whitebox - db
check_app_after_install(app.getAppId(), app.getPkgId());
{
ScopedInstaller appInstall2(app);
- // FIXME - whitebox - db
check_app_after_install(app.getAppId(), app.getPkgId());
}
- // FIXME - whitebox - db
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId());
}
}
Api::install(requestInst2, SECURITY_MANAGER_ERROR_INPUT_PARAM);
- // FIXME - whitebox - db
check_app_after_install(app.getAppId(), app.getPkgId());
}
- // FIXME - whitebox - db
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId());
}
RUNNER_TEST(security_manager_01c_app_uninstall_pkg_id_ignored)
AppInstallHelper app("sm_test_01c");
ScopedInstaller appInstall(app);
- // FIXME - whitebox - db
check_app_after_install(app.getAppId(), app.getPkgId());
InstallRequest requestUninst;
Api::uninstall(requestUninst);
- // FIXME - whitebox - db
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId());
// ScopedInstaller destructor (app second uninstallation) won't have any effect
}
RUNNER_TEST(security_manager_02_app_install_uninstall_full)
{
- const privileges_t allowedPrivs = {
- "http://tizen.org/privilege/display",
- "http://tizen.org/privilege/nfc"
- };
-
- const privileges_t someDeniedPrivs = {
- "http://tizen.org/privilege/bluetooth",
- "http://tizen.org/privilege/power"
- };
+ PolicyConfiguration policy;
+ PolicyConfiguration::PrivGroupMap privGroupMap = policy.getPrivGroupMap();
+
+ RUNNER_ASSERT_MSG(privGroupMap.size() >= 4, "Failed to get policy of a suitable size");
+
+ privileges_t allowedPrivs;
+ privileges_t someDeniedPrivs;
+
+ int counter = 0;
+ for (auto const &it: privGroupMap) {
+ if (counter < 2)
+ allowedPrivs.push_back(it.first);
+ else if (counter < 4)
+ someDeniedPrivs.push_back(it.first);
+ else
+ break;
+ ++counter;
+ }
AppInstallHelper app("sm_test_02");
app.createPrivateDir();
{
ScopedInstaller appInstall(app);
- // FIXME - whitebox - db, groups
check_app_after_install(app.getAppId(), app.getPkgId(),
- app.getPrivileges(), someDeniedPrivs, SM_ALLOWED_GROUPS);
+ app.getPrivileges(), someDeniedPrivs);
check_path(app.getPrivateDir(), generatePathRWLabel(app.getPkgId()));
check_path(app.getPrivateRODir(), generatePathROLabel(app.getPkgId()), false);
check_path(app.getSharedRODir(), generatePathSharedROLabel(app.getPkgId()));
}
- // FIXME - whitebox - db
- check_app_after_uninstall(app.getAppId(), app.getPkgId(),
- app.getPrivileges(), TestSecurityManagerDatabase::REMOVED);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId(), app.getPrivileges());
}
RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid)
check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(),
{}, merge(allowedPrivs, someDeniedPrivs));
+
// TODO - check if app is uninstalled
}
AppInstallHelper app("sm_test_07b", testUser.getUid());
ScopedInstaller appInstall(app);
- // FIXME - whitebox - db
+ serviceManager.startService();
check_app_after_install(app.getAppId(), app.getPkgId());
- serviceManager.startService();
testUser.remove();
- // FIXME - whitebox - db
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), true);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId());
}
RUNNER_TEST(security_manager_08_user_double_add_double_remove)
AppInstallHelper app("sm_test_08", testUser.getUid());
ScopedInstaller appInstall(app);
- // FIXME - whitebox - db
check_app_after_install(app.getAppId(), app.getPkgId());
check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(), {}, somePrivs);
// gumd
testUser.remove();
- // FIXME - whitebox - db
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), true);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId());
check_app_permissions(app.getAppId(), app.getPkgId(), testUser.getUidString(), {}, somePrivs);
// security-manager
{
ScopedInstaller appInstall(app);
- // FIXME - whitebox - db
check_app_after_install(app.getAppId(), app.getPkgId());
}
// Check records in the security-manager database
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId());
}
RUNNER_TEST(security_manager_25b_global_user_set_install_type_local)
app.setInstallType(SM_APP_INSTALL_PRELOADED);
{
ScopedInstaller appInstall(app);
- // FIXME - whitebox - db
check_app_after_install(app.getAppId(), app.getPkgId());
}
- // FIXME - whitebox - db
- check_app_after_uninstall(app.getAppId(), app.getPkgId(), TestSecurityManagerDatabase::REMOVED);
+ check_app_after_uninstall(app.getAppId(), app.getPkgId());
}
RUNNER_TEST(security_manager_25d_local_user_set_install_type_invalid)
Api::registerPaths(preq);
- // check labels
- TestSecurityManagerDatabase dbtest;
- int64_t authorDb = dbtest.get_author_id(app.getAuthor());
- check_path(app.getTrustedDir(), generatePathTrustedLabel(authorDb));
+ // TODO: check labels, e.g. install second label with same author and compare them
+ //check_path(app.getTrustedDir(), generatePathTrustedLabel(authorDb));
}
#include <scoped_installer.h>
#include <sm_api.h>
#include <sm_commons.h>
-#include <sm_db.h>
#include <sm_request.h>
#include <temp_test_user.h>
#include <tests_common.h>
projects / platform / core / test / security-tests.git / commitdiff