From 10336ec78265cee9a3fa4d82c2f895dad3383444 Mon Sep 17 00:00:00 2001 From: Krzysztof Jackiewicz Date: Fri, 24 Apr 2020 16:09:05 +0200 Subject: [PATCH] Unify privilege representation - Use common privilege names in all sm tests - Remove ambigious/deprecated methods from AppInstallHelper - Use PrivilegeVector instead of PolicyConfiguration::PrivVector in AppInstallHelper and related code - Add privilege vectors instead of individual privileges where possible Change-Id: I96cac9bacc8de271f9b9f9ceb7bf7c248fb26171 --- src/common/app_def_privilege.h | 2 + src/common/app_install_helper.cpp | 16 +-- src/common/app_install_helper.h | 4 +- .../common/app_install_helper_ext.cpp | 17 +-- .../common/app_install_helper_ext.h | 10 +- .../common/policy_configuration.cpp | 13 --- .../common/policy_configuration.h | 19 ++- src/security-manager-tests/test_cases.cpp | 52 ++++----- .../test_cases_app_defined_privilege.cpp | 8 +- .../test_cases_app_policy.cpp | 11 +- src/security-manager-tests/test_cases_nss.cpp | 7 +- .../test_cases_prepare_app.cpp | 21 ++-- .../test_cases_privacy_manager.cpp | 129 ++++++++------------- 13 files changed, 127 insertions(+), 182 deletions(-) diff --git a/src/common/app_def_privilege.h b/src/common/app_def_privilege.h index a39b7ba..40d1d46 100644 --- a/src/common/app_def_privilege.h +++ b/src/common/app_def_privilege.h @@ -72,6 +72,8 @@ public: operator std::string() const { return m_name; } + bool operator==(const std::string& other) const { return m_name == other; } + private: std::string m_name; Type m_type; diff --git a/src/common/app_install_helper.cpp b/src/common/app_install_helper.cpp index 2493bfe..6012c3a 100644 --- a/src/common/app_install_helper.cpp +++ b/src/common/app_install_helper.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -279,20 +279,6 @@ bool AppInstallHelper::getIsHybrid() const { return m_isHybrid; } -void AppInstallHelper::addPrivileges(const std::vector &privileges) { - for (auto &p : privileges) { - addPrivilege(Privilege(p)); - } -} - -std::vector AppInstallHelper::getPrivilegesNames() const { - std::vector privileges; - for (auto &p : m_privileges) { - privileges.push_back(p.getName()); - } - return privileges; -} - void AppInstallHelper::addPrivilege(Privilege privilege) { m_privileges.push_back(std::move(privilege)); } diff --git a/src/common/app_install_helper.h b/src/common/app_install_helper.h index 9841481..fbd943c 100644 --- a/src/common/app_install_helper.h +++ b/src/common/app_install_helper.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2019 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2014-2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -129,8 +129,6 @@ struct AppInstallHelper { const TypePathsMap& getFilesMap() const; // Privileges - std::vector getPrivilegesNames() const; // deprecated - void addPrivileges(const std::vector &privileges); // deprecated void addPrivilege(Privilege privilege); void addPrivileges(const PrivilegeVector &privileges); const PrivilegeVector& getPrivileges() const; diff --git a/src/security-manager-tests/common/app_install_helper_ext.cpp b/src/security-manager-tests/common/app_install_helper_ext.cpp index fc59380..2f4e0ee 100644 --- a/src/security-manager-tests/common/app_install_helper_ext.cpp +++ b/src/security-manager-tests/common/app_install_helper_ext.cpp @@ -30,6 +30,7 @@ #include #include #include +#include namespace { constexpr char SMACK_RULES_PATH[] = "/sys/fs/smackfs/load2"; @@ -88,8 +89,8 @@ void checkExactSmackAccesses(const std::string &subject, const std::string &obje namespace SecurityManagerTest { -void AppInstallHelperExt::checkPrivileges(const PolicyConfiguration::PrivVector &allowedPrivs, - const PolicyConfiguration::PrivVector &deniedPrivs) const +void AppInstallHelperExt::checkPrivileges(const PrivilegeVector &allowedPrivs, + const PrivilegeVector &deniedPrivs) const { /* Privileges should be granted to all users if root installs app */ auto user = (m_uidGid == 0 ? ANY_USER_REPRESENTATION : std::to_string(m_uidGid)); @@ -100,7 +101,7 @@ void AppInstallHelperExt::checkPrivileges(const PolicyConfiguration::PrivVector int result; for (auto &priv : allowedPrivs) { - ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_ALLOWED); + ctc.check(smackLabel.c_str(), "", user, priv.getName().c_str(), CYNARA_API_ACCESS_ALLOWED); Api::appHasPrivilege(m_appName, priv, m_uidGid, result); RUNNER_ASSERT_MSG(result == 1, @@ -108,7 +109,7 @@ void AppInstallHelperExt::checkPrivileges(const PolicyConfiguration::PrivVector } for (auto &priv : deniedPrivs) { - ctc.check(smackLabel.c_str(), "", user, priv.c_str(), CYNARA_API_ACCESS_DENIED); + ctc.check(smackLabel.c_str(), "", user, priv.getName().c_str(), CYNARA_API_ACCESS_DENIED); Api::appHasPrivilege(m_appName, priv, m_uidGid, result); RUNNER_ASSERT_MSG(result == 0, @@ -116,12 +117,12 @@ void AppInstallHelperExt::checkPrivileges(const PolicyConfiguration::PrivVector } } -void AppInstallHelperExt::checkDeniedPrivileges(const PolicyConfiguration::PrivVector &deniedPrivs) const +void AppInstallHelperExt::checkDeniedPrivileges(const PrivilegeVector &deniedPrivs) const { checkPrivileges({}, deniedPrivs); } -void AppInstallHelperExt::checkPrivilegeGroups(const PolicyConfiguration::PrivVector &allowedPrivs) const +void AppInstallHelperExt::checkPrivilegeGroups(const PrivilegeVector &allowedPrivs) const { static PolicyConfiguration policy; const auto allowed_groups = policy.privToGroup(allowedPrivs); @@ -149,7 +150,7 @@ void AppInstallHelperExt::checkAfterInstall() const checkSmackAccesses(staticRules[m_isHybrid]); - checkPrivileges(getPrivilegesNames(), {}); + checkPrivileges(m_privileges, {}); } void AppInstallHelperExt::checkAfterUninstall(bool removePkg) const @@ -162,7 +163,7 @@ void AppInstallHelperExt::checkAfterUninstall(bool removePkg) const // there should be no hybrid rules regardless of the app type checkHybridAppSmackRulesAterUninstall(); - checkDeniedPrivileges(getPrivilegesNames()); + checkDeniedPrivileges(m_privileges); } void AppInstallHelperExt::checkSmackAccesses(std::vector rules, bool hasAccess) const diff --git a/src/security-manager-tests/common/app_install_helper_ext.h b/src/security-manager-tests/common/app_install_helper_ext.h index 9e599e2..00c5c49 100644 --- a/src/security-manager-tests/common/app_install_helper_ext.h +++ b/src/security-manager-tests/common/app_install_helper_ext.h @@ -21,7 +21,7 @@ #include #include -#include +#include namespace SecurityManagerTest { @@ -29,10 +29,10 @@ class AppInstallHelperExt : public AppInstallHelper { public: using AppInstallHelper::AppInstallHelper; - void checkPrivileges(const PolicyConfiguration::PrivVector &allowedPrivs, - const PolicyConfiguration::PrivVector &deniedPrivs) const; - void checkDeniedPrivileges(const PolicyConfiguration::PrivVector &deniedPrivs) const; - void checkPrivilegeGroups(const PolicyConfiguration::PrivVector &allowedPrivs) const; + void checkPrivileges(const PrivilegeVector &allowedPrivs, + const PrivilegeVector &deniedPrivs) const; + void checkDeniedPrivileges(const PrivilegeVector &deniedPrivs) const; + void checkPrivilegeGroups(const PrivilegeVector &allowedPrivs) const; void checkAfterInstall() const; void checkAfterUninstall(bool removePkg = true) const; diff --git a/src/security-manager-tests/common/policy_configuration.cpp b/src/security-manager-tests/common/policy_configuration.cpp index 156d6bb..64e3b9a 100644 --- a/src/security-manager-tests/common/policy_configuration.cpp +++ b/src/security-manager-tests/common/policy_configuration.cpp @@ -140,19 +140,6 @@ PolicyConfiguration::PrivVector PolicyConfiguration::loadPrivFile(const std::str return result; } -PolicyConfiguration::GroupVector PolicyConfiguration::privToGroup(const PolicyConfiguration::PrivVector &privVector) { - GroupVector result; - if (m_privGroupMap.empty()) - loadPrivGroupMap(); - for (auto &e : privVector) { - auto it = m_privGroupMap.find(e); - if (it == m_privGroupMap.end()) - continue; - result.push_back(it->second); - } - return result; -} - PolicyConfiguration::PrivVector PolicyConfiguration::getSystemdManagedPrivs() { PolicyConfiguration::PrivVector result; diff --git a/src/security-manager-tests/common/policy_configuration.h b/src/security-manager-tests/common/policy_configuration.h index f807411..3d2c1a0 100644 --- a/src/security-manager-tests/common/policy_configuration.h +++ b/src/security-manager-tests/common/policy_configuration.h @@ -51,7 +51,9 @@ public: gid_t groupToGid(const std::string &gname); PrivGroupMap getPrivGroupMap(); PrivVector getSystemdManagedPrivs(); - GroupVector privToGroup(const PrivVector &privVector); + + template + GroupVector privToGroup(const T &privVector); GidVector groupToGid(const GroupVector &groupVector); static bool getIsAskuserEnabled(); @@ -68,6 +70,21 @@ private: std::map m_userDescriptionMap; }; +template +PolicyConfiguration::GroupVector PolicyConfiguration::privToGroup(const T &privVector) { + GroupVector result; + if (m_privGroupMap.empty()) + loadPrivGroupMap(); + for (auto &e : privVector) { + auto it = m_privGroupMap.find(e); + if (it == m_privGroupMap.end()) + continue; + result.push_back(it->second); + } + return result; +} + + } // namespace SecurityManagerTest #endif diff --git a/src/security-manager-tests/test_cases.cpp b/src/security-manager-tests/test_cases.cpp index b7c75ea..72e17e4 100644 --- a/src/security-manager-tests/test_cases.cpp +++ b/src/security-manager-tests/test_cases.cpp @@ -47,6 +47,7 @@ #include #include #include +#include using namespace SecurityManagerTest; using namespace PrivilegeNames; @@ -137,15 +138,15 @@ RUNNER_TEST(security_manager_01d_app_install_complicated_dir_tree) RUNNER_TEST(security_manager_02_app_install_uninstall_full) { - const PolicyConfiguration::PrivVector defaultPrivs = { + const PrivilegeVector defaultPrivs = { PRIV_INTERNAL_AUDIO, PRIV_INTERNAL_DISPLAY, PRIV_INTERNAL_VIDEO, }; - const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE}; - const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_INTERNET, PRIV_EXTERNALSTORAGE}; + const PrivilegeVector allowedPrivs = {PRIV_CAMERA, PRIV_MEDIASTORAGE}; + const PrivilegeVector someDeniedPrivs = {PRIV_INTERNET, PRIV_EXTERNALSTORAGE}; - PolicyConfiguration::PrivVector defaultAllowedPrivs = defaultPrivs; + PrivilegeVector defaultAllowedPrivs = defaultPrivs; defaultAllowedPrivs.insert(defaultAllowedPrivs.end(), allowedPrivs.begin(), allowedPrivs.end()); AppInstallHelperExt app("sm_test_02"); @@ -230,8 +231,8 @@ RUNNER_CHILD_TEST_SMACK(security_manager_03_set_label_from_appid) RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_self) { - const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_BLUETOOTH, PRIV_POWER}; - const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_DISPLAY, PRIV_NFC}; + const PrivilegeVector allowedPrivs = {PRIV_BLUETOOTH, PRIV_POWER}; + const PrivilegeVector someDeniedPrivs = {PRIV_DISPLAY, PRIV_NFC}; TemporaryTestUser testUser("sm_test_04a_user_name", GUM_USERTYPE_NORMAL); testUser.create(); @@ -251,8 +252,8 @@ RUNNER_CHILD_TEST(security_manager_04a_app_install_uninstall_by_app_user_for_sel } RUNNER_CHILD_TEST(security_manager_04b_app_install_by_root_for_app_user) { - const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_INTERNET, PRIV_LED}; - const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION}; + const PrivilegeVector allowedPrivs = {PRIV_INTERNET, PRIV_LED}; + const PrivilegeVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION}; TemporaryTestUser testUser("sm_test_04b_user_name", GUM_USERTYPE_NORMAL); testUser.create(); @@ -305,8 +306,8 @@ RUNNER_TEST(security_manager_06_install_app_offline) RUNNER_CHILD_TEST(security_manager_07a_user_add_app_install) { - const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_INTERNET, PRIV_LED}; - const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION}; + const PrivilegeVector allowedPrivs = {PRIV_INTERNET, PRIV_LED}; + const PrivilegeVector someDeniedPrivs = {PRIV_LOCATION, PRIV_NOTIFICATION}; TemporaryTestUser testUser("sm_test_07a_user_name", GUM_USERTYPE_NORMAL); testUser.create(); @@ -353,7 +354,7 @@ RUNNER_TEST(security_manager_07b_user_add_offline) RUNNER_TEST(security_manager_08_user_double_add_double_remove) { - const PolicyConfiguration::PrivVector somePrivs = {PRIV_LED, PRIV_NOTIFICATION}; + const PrivilegeVector somePrivs = {PRIV_LED, PRIV_NOTIFICATION}; // gumd TemporaryTestUser testUser("sm_test_08_user_name", GUM_USERTYPE_NORMAL); @@ -597,8 +598,8 @@ RUNNER_TEST(security_manager_09d_uninstall_app_from_hybrid_package) RUNNER_CHILD_TEST(security_manager_10_app_has_privilege) { - const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY}; - const PolicyConfiguration::PrivVector someDeniedPrivs = {PRIV_VPNSERVICE, PRIV_NOTIFICATION}; + const PrivilegeVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY}; + const PrivilegeVector someDeniedPrivs = {PRIV_VPNSERVICE, PRIV_NOTIFICATION}; AppInstallHelperExt app("sm_test_10"); app.addPrivileges(allowedPrivs); @@ -641,13 +642,10 @@ RUNNER_TEST(security_manager_20_user_cynara_policy) RUNNER_CHILD_TEST(security_manager_21_security_manager_admin_deny_user_priv) { - const PolicyConfiguration::PrivVector adminRequiredPrivs = { - PRIV_NOTEXIST, - PRIV_INTERNAL_USERMANAGEMENT - }; - const PolicyConfiguration::PrivVector manifestPrivs = {PRIV_INTERNET, PRIV_DATASHARING}; - const PolicyConfiguration::PrivVector allowedPrivsAfterChange = {PRIV_DATASHARING}; - const PolicyConfiguration::PrivVector deniedPrivsAfterChange = {PRIV_INTERNET}; + const PrivilegeVector adminRequiredPrivs = {PRIV_NOTEXIST, PRIV_INTERNAL_USERMANAGEMENT}; + const PrivilegeVector manifestPrivs = {PRIV_INTERNET, PRIV_DATASHARING}; + const PrivilegeVector allowedPrivsAfterChange = {PRIV_DATASHARING}; + const PrivilegeVector deniedPrivsAfterChange = {PRIV_INTERNET}; TemporaryTestUser adminUser("sm_test_21_admin_user_name", GUM_USERTYPE_ADMIN, false); TemporaryTestUser normalUser("sm_test_21_normal_user_name", GUM_USERTYPE_NORMAL, false); @@ -891,16 +889,8 @@ RUNNER_CHILD_TEST(security_manager_25f_unprivileged_install_type_preloaded) RUNNER_CHILD_TEST(security_manager_25g_local_user_set_install_type_local) { - const PolicyConfiguration::PrivVector allowedPrivs = { - PRIV_VOLUME_SET, - PRIV_SYSTEMMONITOR, - PRIV_INTERNET - }; - const PolicyConfiguration::PrivVector someDeniedPrivs = { - PRIV_PUSH, - PRIV_POWER, - PRIV_NOTIFICATION, - }; + const PrivilegeVector allowedPrivs = {PRIV_VOLUME_SET, PRIV_SYSTEMMONITOR, PRIV_INTERNET}; + const PrivilegeVector someDeniedPrivs = {PRIV_PUSH, PRIV_POWER, PRIV_NOTIFICATION}; TemporaryTestUser testUser("sm_test_25g_user_name", GUM_USERTYPE_NORMAL); testUser.create(); @@ -979,7 +969,7 @@ RUNNER_CHILD_TEST(security_manager_26_hybrid_pkg_uninstall_artifacts_check) TemporaryTestUser testUser("sm_test_26_user_name", GUM_USERTYPE_NORMAL); testUser.create(); - const PolicyConfiguration::PrivVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY}; + const PrivilegeVector allowedPrivs = {PRIV_WIFIDIRECT, PRIV_TELEPHONY}; AppInstallHelperExt app1("sm_test_26_1", "sm_test_26", testUser.getUid()); app1.addPrivileges(allowedPrivs); diff --git a/src/security-manager-tests/test_cases_app_defined_privilege.cpp b/src/security-manager-tests/test_cases_app_defined_privilege.cpp index a72a7d6..2e8965c 100644 --- a/src/security-manager-tests/test_cases_app_defined_privilege.cpp +++ b/src/security-manager-tests/test_cases_app_defined_privilege.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2017 - 2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,10 +29,12 @@ #include #include #include +#include RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_APP_DEFINED_PRIVILEGE) using namespace SecurityManagerTest; +using namespace PrivilegeNames; RUNNER_CHILD_TEST(app_defined_01_global_install_untrusted) { @@ -544,7 +546,7 @@ RUNNER_CHILD_TEST(app_defined_09_add_get_client_license) RUNNER_CHILD_TEST(app_defined_10_check_system_privileges) { const std::string providerAppId = "app_def_09_provider"; - const Privilege privilege("http://tizen.org/privilege/internet", Privilege::UNTRUSTED); + const Privilege privilege(PRIV_INTERNET, Privilege::UNTRUSTED); InstallRequest requestInst; requestInst.setAppId(providerAppId); @@ -608,4 +610,4 @@ RUNNER_CHILD_TEST(app_defined_12_invalid_common_name) CynaraTestClient::Client cynara; cynara.check(clientLabel, session, ownerId, clientPrivilegeLicense, CYNARA_API_ACCESS_DENIED); -} \ No newline at end of file +} diff --git a/src/security-manager-tests/test_cases_app_policy.cpp b/src/security-manager-tests/test_cases_app_policy.cpp index bb3ab94..27267f8 100644 --- a/src/security-manager-tests/test_cases_app_policy.cpp +++ b/src/security-manager-tests/test_cases_app_policy.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -27,11 +27,14 @@ #include #include +#include + +using namespace PrivilegeNames; const PrivilegeVector TEST_PRIVACY_PRIVILEGES = { - Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY), - Privilege("http://tizen.org/privilege/account.read", Privilege::PRIVACY), - Privilege("http://tizen.org/privilege/healthinfo", Privilege::PRIVACY) }; + Privilege(PRIV_CALLHISTORY_READ, Privilege::PRIVACY), + Privilege(PRIV_ACCOUNT_READ, Privilege::PRIVACY), + Privilege(PRIV_HEALTHINFO, Privilege::PRIVACY) }; using namespace SecurityManagerTest; diff --git a/src/security-manager-tests/test_cases_nss.cpp b/src/security-manager-tests/test_cases_nss.cpp index 3cfdc64..152f4b5 100644 --- a/src/security-manager-tests/test_cases_nss.cpp +++ b/src/security-manager-tests/test_cases_nss.cpp @@ -28,10 +28,12 @@ #include #include #include +#include #include using namespace SecurityManagerTest; +using namespace PrivilegeNames; RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_NSS_PLUGIN) @@ -107,10 +109,7 @@ RUNNER_CHILD_TEST(nss_03_guest_user_without_inter_daemon_groups_unaffected_by_cy // Removing one more privilege from policy (that has GID associated), which should not affect nss daemon groups PolicyRequest policyRequest; - PolicyEntry entry( - SECURITY_MANAGER_ANY, - std::to_string(static_cast(testUser.getUid())), - "http://tizen.org/privilege/camera"); + PolicyEntry entry(SECURITY_MANAGER_ANY, testUser.getUidString(), PRIV_CAMERA); entry.setMaxLevel(PolicyEntry::LEVEL_DENY); policyRequest.addEntry(entry); diff --git a/src/security-manager-tests/test_cases_prepare_app.cpp b/src/security-manager-tests/test_cases_prepare_app.cpp index 32dad32..cf72e77 100644 --- a/src/security-manager-tests/test_cases_prepare_app.cpp +++ b/src/security-manager-tests/test_cases_prepare_app.cpp @@ -36,8 +36,10 @@ #include #include #include +#include using namespace SecurityManagerTest; +using namespace PrivilegeNames; namespace { bool finish = false; @@ -45,9 +47,6 @@ const size_t THREADS = 10; const std::string APP_TEST_USER = "app_test_user"; -const std::string EXTERNAL_STORAGE_PRIVILEGE = "http://tizen.org/privilege/externalstorage"; -const std::string MEDIA_STORAGE_PRIVILEGE = "http://tizen.org/privilege/mediastorage"; - const std::string ACCESS_DENIED_DIR_PATH = "/usr/share/security-manager/dummy"; const std::string EXTERNAL_STORAGE_DIR_PATH = "/opt/media"; const std::string MEDIA_STORAGE_RW_DIR_PATH = "/opt/usr/media"; @@ -307,8 +306,7 @@ RUNNER_CHILD_TEST(security_manager_103_policy_change_test) tmpUser.create(); AppInstallHelper app("app103", tmpUser.getUid()); - app.addPrivilege(EXTERNAL_STORAGE_PRIVILEGE); - app.addPrivilege(MEDIA_STORAGE_PRIVILEGE); + app.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE}); ScopedInstaller appInstall(app); SynchronizationPipe synchPipe; @@ -335,11 +333,11 @@ RUNNER_CHILD_TEST(security_manager_103_policy_change_test) RUNNER_ASSERT_ERRNO_MSG(result == false, "path is bound"); PolicyRequest policyRequest; - PolicyEntry policyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), EXTERNAL_STORAGE_PRIVILEGE); + PolicyEntry policyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), PRIV_EXTERNALSTORAGE); policyEntry.setLevel(PolicyEntry::LEVEL_DENY); policyRequest.addEntry(policyEntry); - policyEntry = PolicyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), MEDIA_STORAGE_PRIVILEGE); + policyEntry = PolicyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), PRIV_MEDIASTORAGE); policyEntry.setLevel(PolicyEntry::LEVEL_DENY); policyRequest.addEntry(policyEntry); Api::sendPolicy(policyRequest); @@ -351,11 +349,11 @@ RUNNER_CHILD_TEST(security_manager_103_policy_change_test) result = isPathBound(ACCESS_DENIED_DIR_PATH, MEDIA_STORAGE_RO_DIR_PATH, pid); RUNNER_ASSERT_ERRNO_MSG(result == true, "path is not bound"); - policyEntry = PolicyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), EXTERNAL_STORAGE_PRIVILEGE); + policyEntry = PolicyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), PRIV_EXTERNALSTORAGE); policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW); policyRequest.addEntry(policyEntry); - policyEntry = PolicyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), MEDIA_STORAGE_PRIVILEGE); + policyEntry = PolicyEntry(app.getAppId(), std::to_string(tmpUser.getUid()), PRIV_MEDIASTORAGE); policyEntry.setLevel(PolicyEntry::LEVEL_ALLOW); policyRequest.addEntry(policyEntry); Api::sendPolicy(policyRequest); @@ -469,10 +467,7 @@ RUNNER_TEST(security_manager_200_prepare_app_perf) for (int i = 0; i < nAppsMax; i++) { apps.emplace_back(App{AppInstallHelper("app200_" + std::to_string(i), uid), 0}); auto &hlp = apps.back().hlp; - for (const auto &p : { EXTERNAL_STORAGE_PRIVILEGE, MEDIA_STORAGE_PRIVILEGE, - std::string("http://tizen.org/privilege/camera"), - std::string("http://tizen.org/privilege/internet") }) - hlp.addPrivilege(p); + hlp.addPrivileges({PRIV_EXTERNALSTORAGE, PRIV_MEDIASTORAGE, PRIV_CAMERA, PRIV_INTERNET}); hlp.createSharedRODir(); appInstalls.emplace_back(ScopedInstaller(hlp)); } diff --git a/src/security-manager-tests/test_cases_privacy_manager.cpp b/src/security-manager-tests/test_cases_privacy_manager.cpp index edd750f..ac72b73 100644 --- a/src/security-manager-tests/test_cases_privacy_manager.cpp +++ b/src/security-manager-tests/test_cases_privacy_manager.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2018 Samsung Electronics Co., Ltd All Rights Reserved + * Copyright (c) 2016-2020 Samsung Electronics Co., Ltd All Rights Reserved * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -38,8 +38,11 @@ #include #include #include +#include +#include using namespace SecurityManagerTest; +using namespace PrivilegeNames; namespace { struct UserInfo { std::string userName; @@ -47,50 +50,29 @@ struct UserInfo { }; // Privileges required for having permission to self/admin get/set policies. -const std::string SELF_PRIVILEGE = "http://tizen.org/privilege/notexist"; -const std::string ADMIN_PRIVILEGE = "http://tizen.org/privilege/internal/usermanagement"; - -typedef std::vector Privileges; -const std::vector TEST_PRIVILEGES = { - { - "http://tizen.org/privilege/internet", - "http://tizen.org/privilege/display" - }, - { - "http://tizen.org/privilege/telephony", - "http://tizen.org/privilege/datasharing" - }, - { - "http://tizen.org/privilege/content.write", - "http://tizen.org/privilege/led", - "http://tizen.org/privilege/email" - }, - { - "http://tizen.org/privilege/led", - "http://tizen.org/privilege/email", - "http://tizen.org/privilege/telephony", - "http://tizen.org/privilege/datasharing" - }, - { - "http://tizen.org/privilege/internet", - "http://tizen.org/privilege/display", - "http://tizen.org/privilege/led", - "http://tizen.org/privilege/email" - } +const std::string& SELF_PRIVILEGE = PRIV_NOTEXIST; +const std::string& ADMIN_PRIVILEGE = PRIV_INTERNAL_USERMANAGEMENT; + +const std::vector TEST_PRIVILEGES = { + {PRIV_INTERNET, PRIV_DISPLAY}, + {PRIV_TELEPHONY, PRIV_DATASHARING}, + {PRIV_CONTENT_WRITE, PRIV_LED, PRIV_EMAIL}, + {PRIV_LED, PRIV_EMAIL, PRIV_TELEPHONY, PRIV_DATASHARING}, + {PRIV_INTERNET, PRIV_DISPLAY, PRIV_LED, PRIV_EMAIL} }; const PrivilegeVector TEST_PRIVACY_PRIVILEGES[] = { { - Privilege("http://tizen.org/privilege/telephony"), - Privilege("http://tizen.org/privilege/led"), - Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY), - Privilege("http://tizen.org/privilege/account.read", Privilege::PRIVACY), - Privilege("http://tizen.org/privilege/healthinfo", Privilege::PRIVACY), + Privilege(PRIV_TELEPHONY), + Privilege(PRIV_LED), + Privilege(PRIV_CALLHISTORY_READ, Privilege::PRIVACY), + Privilege(PRIV_ACCOUNT_READ, Privilege::PRIVACY), + Privilege(PRIV_HEALTHINFO, Privilege::PRIVACY), }, { - Privilege("http://tizen.org/privilege/telephony"), - Privilege("http://tizen.org/privilege/led"), - Privilege("http://tizen.org/privilege/callhistory.read", Privilege::PRIVACY), + Privilege(PRIV_TELEPHONY), + Privilege(PRIV_LED), + Privilege(PRIV_CALLHISTORY_READ, Privilege::PRIVACY), } }; @@ -151,7 +133,7 @@ RUNNER_CHILD_TEST(security_manager_10_privacy_manager_fetch_whole_policy_for_sel RUNNER_ASSERT_MSG(appIt != appIdToAIH.end(), "Policy returned unexpected app: " << app); AppInstallHelper &aih = appIt->second; - auto appPrivileges = aih.getPrivilegesNames(); + auto& appPrivileges = aih.getPrivileges(); auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege); RUNNER_ASSERT_MSG(privIt != appPrivileges.end(), "Unexpected privilege " << privilege << " for app " << app); @@ -232,7 +214,7 @@ RUNNER_CHILD_TEST(security_manager_11_privacy_manager_fetch_whole_policy_for_adm AppInstallHelper &aih = userAppIdToAIHIt->second; auto privs = aih.getPrivileges(); - auto appPrivileges = aih.getPrivilegesNames(); + auto& appPrivileges = aih.getPrivileges(); auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege); RUNNER_ASSERT_MSG(privIt != appPrivileges.end(), "Unexpected privilege " << privilege << " for app " << app); @@ -324,7 +306,7 @@ RUNNER_CHILD_TEST(security_manager_12_privacy_manager_fetch_whole_policy_for_adm AppInstallHelper &aih = userAppIdToAIHIt->second; auto privs = aih.getPrivileges(); - auto appPrivileges = aih.getPrivilegesNames(); + auto& appPrivileges = aih.getPrivileges(); auto privIt = std::find(appPrivileges.begin(), appPrivileges.end(), privilege); RUNNER_ASSERT_MSG(privIt != appPrivileges.end(), "Unexpected privilege " << privilege << " for app " << app); @@ -464,14 +446,11 @@ RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_fo PolicyRequest setPolicyRequest; std::vector policyEntries; - const std::string internetPriv = "http://tizen.org/privilege/internet"; - const std::string displayPriv = "http://tizen.org/privilege/display"; - - PolicyEntry internetPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, internetPriv); + PolicyEntry internetPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, PRIV_INTERNET); internetPolicyEntry.setMaxLevel(PolicyEntry::LEVEL_DENY); setPolicyRequest.addEntry(internetPolicyEntry); - PolicyEntry displayPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, displayPriv); + PolicyEntry displayPolicyEntry(SECURITY_MANAGER_ANY, SECURITY_MANAGER_ANY, PRIV_DISPLAY); displayPolicyEntry.setMaxLevel(PolicyEntry::LEVEL_DENY); setPolicyRequest.addEntry(displayPolicyEntry); @@ -501,7 +480,7 @@ RUNNER_CHILD_TEST(security_manager_14_privacy_manager_fetch_and_update_policy_fo RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin) { - const std::string updatePriv = "http://tizen.org/privilege/led"; + const std::string& updatePriv = PRIV_LED; TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN); adminUser.create(); @@ -538,7 +517,7 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_adm RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_admin_wildcard) { - const std::string updatePriv = "http://tizen.org/privilege/led"; + const std::string& updatePriv = PRIV_LED; TemporaryTestUser adminUser("sm_test_15_username", GUM_USERTYPE_ADMIN); adminUser.create(); @@ -575,7 +554,7 @@ RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_adm RUNNER_CHILD_TEST(security_manager_15_privacy_manager_send_policy_update_for_self) { - const std::string updatePriv = "http://tizen.org/privilege/led"; + const std::string& updatePriv = PRIV_LED; TemporaryTestUser user("sm_test_15_username", GUM_USERTYPE_NORMAL); user.create(); @@ -649,7 +628,7 @@ RUNNER_CHILD_TEST(security_manager_16_policy_levels_get) RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self) { - const std::string updatePriv = "http://tizen.org/privilege/led"; + const std::string& updatePriv = PRIV_LED; TemporaryTestUser user("sm_test_17a_username", GUM_USERTYPE_NORMAL); user.create(); @@ -699,7 +678,7 @@ RUNNER_CHILD_TEST(security_manager_17a_privacy_manager_delete_policy_for_self) RUNNER_CHILD_TEST(security_manager_17b_privacy_manager_delete_policy_for_self) { - const std::string updatePriv = "http://tizen.org/privilege/led"; + const std::string& updatePriv = PRIV_LED; TemporaryTestUser user("sm_test_17b_username", GUM_USERTYPE_NORMAL); user.create(); @@ -998,7 +977,7 @@ RUNNER_CHILD_TEST(security_manager_23_fetch_app_manifest_invalid_user) static void check_privileges_from_manifest(const AppInstallHelper &aih, char **privileges, size_t nPrivs) { - std::vector aihPrivs = aih.getPrivilegesNames(); + auto& aihPrivs = aih.getPrivileges(); RUNNER_ASSERT_MSG(nPrivs == aihPrivs.size(), "Expected privileges number: " << aihPrivs.size() << ", got " << nPrivs); for (size_t i = 0; i < nPrivs; ++i) { RUNNER_ASSERT_MSG(std::find(aihPrivs.begin(), aihPrivs.end(), std::string(privileges[i])) != aihPrivs.end(), @@ -1013,8 +992,7 @@ RUNNER_CHILD_TEST(security_manager_24_fetch_app_manifest_global_app) AppInstallHelper app("security_manager_24_fetch"); app.setInstallType(SM_APP_INSTALL_GLOBAL); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); + app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); char **privileges; @@ -1040,8 +1018,7 @@ RUNNER_CHILD_TEST(security_manager_25_fetch_app_manifest_local_app) AppInstallHelper app("security_manager_25_fetch", user.getUid()); app.setInstallType(SM_APP_INSTALL_LOCAL); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); + app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); char **privileges; @@ -1066,15 +1043,12 @@ RUNNER_CHILD_TEST(security_manager_26_fetch_app_manifest_both_apps) AppInstallHelper appGlobal("security_manager_26_fetch"); appGlobal.setInstallType(SM_APP_INSTALL_GLOBAL); - appGlobal.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - appGlobal.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); - appGlobal.addPrivilege(std::string("http://tizen.org/privielge/contacts.read")); + appGlobal.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ}); ScopedInstaller appGlobalInstall(appGlobal); AppInstallHelper appLocal("security_manager_26_fetch", user.getUid()); appLocal.setInstallType(SM_APP_INSTALL_LOCAL); - appLocal.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - appLocal.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); + appLocal.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appLocalInstall(appLocal); @@ -1100,8 +1074,7 @@ RUNNER_CHILD_TEST(security_manager_27_fetch_app_manifest_app_context_local_posit AppInstallHelper app("security_manager_27_fetch", user.getUid()); app.setInstallType(SM_APP_INSTALL_LOCAL); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); + app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); pid_t pid = fork(); @@ -1130,8 +1103,7 @@ RUNNER_CHILD_TEST(security_manager_28_fetch_app_manifest_app_context_global_posi AppInstallHelper app("security_manager_28_fetch"); app.setInstallType(SM_APP_INSTALL_GLOBAL); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); + app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); pid_t pid = fork(); @@ -1163,15 +1135,12 @@ RUNNER_CHILD_TEST(security_manager_29_fetch_app_manifest_app_context_local_diffe AppInstallHelper app("security_manager_29_fetch", user.getUid()); app.setInstallType(SM_APP_INSTALL_LOCAL); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); + app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); AppInstallHelper app1("security_manager_29_fetch", user1.getUid()); app1.setInstallType(SM_APP_INSTALL_LOCAL); - app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); - app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read")); + app1.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ}); ScopedInstaller appInstall1(app1); @@ -1205,15 +1174,12 @@ RUNNER_CHILD_TEST(security_manager_30_fetch_app_manifest_app_context_local_diffe AppInstallHelper app("security_manager_30_fetch", user.getUid()); app.setInstallType(SM_APP_INSTALL_LOCAL); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); + app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); AppInstallHelper app1("security_manager_30_fetch_1", user.getUid()); app1.setInstallType(SM_APP_INSTALL_LOCAL); - app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); - app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read")); + app1.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE, PRIV_CONTACTS_READ}); ScopedInstaller appInstall1(app1); @@ -1247,16 +1213,15 @@ RUNNER_CHILD_TEST(security_manager_31_fetch_app_manifest_app_context_local_diffe AppInstallHelper app("security_manager_31_fetch", user.getUid()); app.setInstallType(SM_APP_INSTALL_LOCAL); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); + app.addPrivileges({PRIV_CALENDAR_READ, PRIV_CALENDAR_WRITE}); ScopedInstaller appInstall(app); AppInstallHelper app1("security_manager_31_fetch_1", user.getUid()); app1.setInstallType(SM_APP_INSTALL_LOCAL); - app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.read")); - app1.addPrivilege(std::string("http://tizen.org/privilege/calendar.write")); - app1.addPrivilege(std::string("http://tizen.org/privilege/contacts.read")); - app1.addPrivilege(std::string("http://tizen.org/privilege/internal/usermanagement")); + app1.addPrivileges({PRIV_CALENDAR_READ, + PRIV_CALENDAR_WRITE, + PRIV_CONTACTS_READ, + PRIV_INTERNAL_USERMANAGEMENT}); ScopedInstaller appInstall1(app1); -- 2.7.4