From: Jan Cybulski <j.cybulski@samsung.com>
Date: Tue, 10 Feb 2015 07:12:33 +0000 (+0100)
Subject: Test scenario for denying some privileges to a user by admin
X-Git-Tag: security-manager_5.5_testing~109^2~26
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Ftest%2Fsecurity-tests.git;a=commitdiff_plain;h=8ee1016ffa4f441ac07655ecbbfd135f01bbdace

Test scenario for denying some privileges to a user by admin

Change-Id: I2b80c7643d6565fb2e5b8b5d1619214ad0f64d85
Signed-off-by: Jan Cybulski <j.cybulski@samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
---

diff --git a/tests/security-manager-tests/security_manager_tests.cpp b/tests/security-manager-tests/security_manager_tests.cpp
index 0478491..a342ea9 100644
--- a/tests/security-manager-tests/security_manager_tests.cpp
+++ b/tests/security-manager-tests/security_manager_tests.cpp
@@ -8,6 +8,9 @@
 #include <sys/capability.h>
 #include <semaphore.h>
 
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <attr/xattr.h>
@@ -2176,6 +2179,110 @@ RUNNER_CHILD_TEST(security_manager_12_security_manager_cmd_users)
     }
 }
 
+RUNNER_MULTIPROCESS_TEST(security_manager_13_security_manager_admin_deny_user_priv)
+{
+    const int BUFFER_SIZE = 128;
+    struct message {
+        uid_t uid;
+        gid_t gid;
+        char buf[BUFFER_SIZE];
+    } msg;
+
+    privileges_t admin_required_privs = {
+            "http://tizen.org/privilege/systemsettings.admin",
+            "http://tizen.org/privilege/systemsettings"};
+    privileges_t manifest_privs = {
+            "http://tizen.org/privilege/internet",
+            "http://tizen.org/privilege/camera"};
+    privileges_t real_privs_allow = {"http://tizen.org/privilege/camera"};
+    privileges_t real_privs_deny = {"http://tizen.org/privilege/internet"};
+
+    const std::string pirivman_id = "sm_test_13_ADMIN_APP";
+    const std::string pirivman_pkg_id = "sm_test_13_ADMIN_PKG";
+    const std::string app_id = "sm_test_13_SOME_APP";
+    const std::string pkg_id = "sm_test_13_SOME_PKG";
+
+    int pipefd[2];
+    pid_t pid;
+    int result = 0;
+
+    RUNNER_ASSERT_MSG((pipe(pipefd) != -1),"pipe failed");
+    pid = fork();
+    RUNNER_ASSERT_MSG(pid >= 0, "fork failed");
+    if (pid != 0)//parent process
+    {
+        std::string childuidstr;
+        TemporaryTestUser admin("sm_test_13_ADMIN_USER", GUM_USERTYPE_ADMIN, true);
+        TemporaryTestUser child("sm_test_13_NORMAL_USER", GUM_USERTYPE_NORMAL, true);
+
+        InstallRequest request,request2;
+        FdUniquePtr pipeptr(pipefd+1);
+        close(pipefd[0]);
+
+        admin.create();
+        child.create();
+        child.getUidString(childuidstr);
+
+        //install privacy manager for admin
+        request.setAppId(pirivman_id.c_str());
+        request.setPkgId(pirivman_pkg_id.c_str());
+        request.setUid(admin.getUid());
+        for (auto &priv: admin_required_privs)
+            request.addPrivilege(priv.c_str());
+        Api::install(request);
+
+        //install app for child that has internet privilege
+        request2.setAppId(app_id.c_str());
+        request2.setPkgId(pkg_id.c_str());
+        request2.setUid(child.getUid());
+        for (auto &priv: manifest_privs)
+            request2.addPrivilege(priv.c_str());
+        Api::install(request2);
+
+        check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+                              manifest_privs, SM_NO_PRIVILEGES);
+
+        //send info to child
+        msg.uid = admin.getUid();
+        msg.gid = admin.getGid();
+        strncpy (msg.buf, childuidstr.c_str(), BUFFER_SIZE);
+
+        ssize_t written = TEMP_FAILURE_RETRY(write(pipefd[1], &msg, sizeof(struct message)));
+        RUNNER_ASSERT_MSG((written == sizeof(struct message)),"write failed");
+
+        //wait for child
+        RUNNER_ASSERT_MSG(wait(&result) == pid, "wait failed");
+
+        check_app_permissions(app_id.c_str(), pkg_id.c_str(), childuidstr.c_str(),
+                              real_privs_allow, real_privs_deny);
+    }
+    if (pid == 0)//child
+    {
+        FdUniquePtr pipeptr(pipefd);
+        close(pipefd[1]);
+
+        ssize_t fetched = TEMP_FAILURE_RETRY(read(pipefd[0], &msg, sizeof(struct message)));
+        RUNNER_ASSERT_MSG(fetched == sizeof(struct message), "read failed");
+
+        //become admin privacy manager manager
+        Api::setProcessLabel(pirivman_id.c_str());
+        result = drop_root_privileges(msg.uid, msg.gid);
+        RUNNER_ASSERT_MSG(result == 0, "drop_root_privileges failed");
+        PolicyRequest addPolicyReq;
+        //change rights
+        for (auto &denypriv:real_privs_deny) {
+            /*this entry will deny some privileges for user whose uid (as c string)
+              was sent in message's buf field.
+              That user would be denying internet for child in this case*/
+            PolicyEntry entry(SECURITY_MANAGER_ANY, msg.buf, denypriv);
+            entry.setMaxLevel("Deny");
+            addPolicyReq.addEntry(entry);
+        }
+        Api::sendPolicy(addPolicyReq);
+        exit(0);
+    }
+}
+
 int main(int argc, char *argv[])
 {
     return DPL::Test::TestRunnerSingleton::Instance().ExecTestRunner(argc, argv);