2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #include <unordered_map>
19 #include <sys/smack.h>
20 #include <sys/types.h>
23 #include <dpl/test/test_runner.h>
24 #include <sm_commons.h>
25 #include <tests_common.h>
26 #include <scoped_installer.h>
27 #include <scoped_path_remover.h>
29 using namespace SecurityManagerTest;
32 const int ACCESS_SUCCESS = 0;
33 const int ACCESS_ERROR = -1;
35 const std::vector<std::pair<std::string, std::string>> versionCombinations {
36 std::make_pair("2.4", "2.4"),
37 std::make_pair("2.4", "3.0"),
38 std::make_pair("3.0", "3.0"),
39 std::make_pair("3.0", "2.4")
42 const std::unordered_map<int, const char* const> accessTypeToString {
43 std::make_pair(0, "F_OK"),
44 std::make_pair(1, "X_OK"),
45 std::make_pair(2, "W_OK"),
46 std::make_pair(3, "W_OK|X_OK"),
47 std::make_pair(4, "R_OK"),
48 std::make_pair(5, "R_OK|X_OK"),
49 std::make_pair(6, "R_OK|W_OK"),
50 std::make_pair(7, "R_OK|W_OK|X_OK")
53 void changeSecurityContext(const std::string &label, uid_t uid, gid_t gid)
55 RUNNER_ASSERT_ERRNO_MSG(0 == smack_set_label_for_self(label.c_str()),
56 "Error in smack_set_label_for_self(" << label << ")");
58 RUNNER_ASSERT_ERRNO_MSG(0 == setgid(gid), "Error in setgid.");
59 RUNNER_ASSERT_ERRNO_MSG(0 == setuid(uid), "Error in setuid.");
62 AppInstallHelper prepAIH(const std::string &appName,
63 const std::string &pkgName,
67 bool appIsLocal = true;
68 AppInstallHelper appInstallHelper(appName, pkgName, version, appIsLocal);
70 appInstallHelper.createInstallDir();
73 appInstallHelper.createSharedRODir();
75 return appInstallHelper;
78 void runAccessTest(const AppInstallHelper &appFrom, const std::string &testPath,
79 const int accessType, const int accessResult) {
81 changeSecurityContext(appFrom.generateAppLabel(), appFrom.getUID(), appFrom.getGID());
82 RUNNER_ASSERT_ERRNO_MSG(::access(testPath.c_str(), accessType) == accessResult,
83 "access from app " << appFrom.getAppId() << " to path " << testPath
84 << " (" << accessTypeToString.at(accessType) << "): ");
87 runInChildParentWait(fun);
90 } //anonymous namespace
92 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_SHARED_RO)
95 * Test 76 : Check whether owner app
96 * have access to own sharedRO dir
98 RUNNER_CHILD_TEST(security_manager_76_owner_shared_ro_have_rw_access_to_own_shared_ro_dir)
100 std::string sharedROAppName = "sm_test_76_app1_sharedRO";
101 std::string sharedROPkgName = "sm_test_76_pkg1_sharedRO";
102 auto run_test = [&](std::string ver) {
103 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver, true));
104 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
106 runAccessTest(sharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_SUCCESS);
114 * Test 77 : Check whether app from non_sharedRO pkg
115 * have access to sharedRO dir of an application
117 RUNNER_CHILD_TEST(security_manager_77_no_shared_ro_have_ro_access_to_shared_ro)
119 std::string sharedROAppName = "sm_test_77_app1_sharedRO";
120 std::string sharedROPkgName = "sm_test_77_pkg1_sharedRO";
121 std::string nonSharedROAppName = "sm_test_77_app2";
122 std::string nonSharedROPkgName = "sm_test_77_pkg2";
124 auto run_test = [&](std::string ver1, std::string ver2) {
125 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
126 ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver2, false));
127 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
129 runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
130 runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
133 for (const auto &version : versionCombinations) {
134 run_test(version.first, version.second);
139 * Test 78 : Check whether app from another sharedRO pkg
140 * have access to sharedRO dir of an application
142 RUNNER_CHILD_TEST(security_manager_78_another_pkg_shared_ro_have_ro_access_to_shared_ro)
144 std::string sharedROAppName = "sm_test_78_app1_sharedRO";
145 std::string sharedROPkgName = "sm_test_78_pkg1_sharedRO";
146 std::string sharedROAppName2 = "sm_test_78_app2_sharedRO";
147 std::string sharedROPkgName2 = "sm_test_78_pkg2_sharedRO";
149 auto run_test = [&](std::string ver1, std::string ver2) {
150 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
151 ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName2, ver2, true));
152 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(),
153 sharedROPkgApp2.getAIH().getSharedRODir()});
155 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
156 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
159 for (const auto &version : versionCombinations)
160 run_test(version.first, version.second);
164 * Test 79 : Install two sharedRO apps in one package
165 * and check access to sharedRO dir
167 RUNNER_CHILD_TEST(security_manager_79_same_pkg_shared_ro_have_ro_access_to_shared_ro)
169 std::string sharedROAppName = "sm_test_79_app1_sharedRO";
170 std::string sharedROPkgName = "sm_test_79_pkg1_sharedRO";
171 std::string sharedROAppName2 = "sm_test_79_app2_sharedRO";
173 auto run_test = [&](std::string ver1, std::string ver2) {
174 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
175 ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName, ver2, true));
176 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
178 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
179 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_SUCCESS);
182 for (const auto &version : versionCombinations)
183 run_test(version.first, version.second);
187 * Test 80 : Check whether application from non-sharedRO pkg
188 * have proper access to RO dir of an sharedRO application.
190 RUNNER_CHILD_TEST(security_manager_80_no_shared_ro_have_no_access_to_shared_ro_app_ro_dir)
192 std::string sharedROAppName = "sm_test_80_app1_sharedRO";
193 std::string sharedROPkgName = "sm_test_80_pkg1_sharedRO";
194 std::string nonSharedROAppName = "sm_test_80_app2";
195 std::string nonSharedROPkgName = "sm_test_80_pkg2";
197 auto run_test = [&](std::string ver1, std::string ver2) {
198 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
199 ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver2, false));
200 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
202 runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|X_OK, ACCESS_ERROR);
203 runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|W_OK, ACCESS_ERROR);
206 for (const auto &version : versionCombinations)
207 run_test(version.first, version.second);
211 * Test 81 : Check whether sharedRO application from another pkg
212 * have proper access to RO dir of other sharedRO app.
214 RUNNER_CHILD_TEST(security_manager_81_another_pkg_shared_ro_have_no_access_to_shared_ro_app_ro_dir)
216 std::string sharedROAppName = "sm_test_81_app1_sharedRO";
217 std::string sharedROPkgName = "sm_test_81_pkg1_sharedRO";
218 std::string sharedROAppName2 = "sm_test_81_app2_sharedRO";
219 std::string sharedROPkgName2 = "sm_test_81_pkg2_sharedRO";
221 auto run_test = [&](std::string ver1, std::string ver2) {
222 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
223 ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName2, ver2, true));
224 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(),
225 sharedROPkgApp2.getAIH().getSharedRODir()});
227 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|X_OK, ACCESS_ERROR);
228 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|W_OK, ACCESS_ERROR);
231 for (const auto &version : versionCombinations)
232 run_test(version.first, version.second);
236 * Test 82 : Check whether sharedRO application from same pkg
237 * have proper access to RO dir of other sharedRO app.
239 RUNNER_CHILD_TEST(security_manager_82_same_pkg_shared_ro_have_no_access_to_shared_ro_app_ro_dir)
241 std::string sharedROAppName = "sm_test_82_app1_sharedRO";
242 std::string sharedROPkgName = "sm_test_82_pkg1_sharedRO";
243 std::string sharedROAppName2 = "sm_test_82_app2_sharedRO";
245 auto run_test = [&](std::string ver1, std::string ver2) {
246 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
247 ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName, ver2, true));
248 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
250 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|X_OK, ACCESS_ERROR);
251 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getPrivateRODir(), R_OK|W_OK, ACCESS_ERROR);
254 for (const auto &version : versionCombinations)
255 run_test(version.first, version.second);
259 * Test 83 : Try to add valid sharedRO dir to an app
260 * and check all possible accesses to to it.
262 RUNNER_CHILD_TEST(security_manager_83_add_path_to_app_and_check_all)
264 std::string sharedROAppName = "sm_test_83_app1_sharedRO";
265 std::string sharedROPkgName = "sm_test_83_pkg1_sharedRO";
266 std::string nonSharedROAppName = "sm_test_83_app2";
267 std::string nonSharedROPkgName = "sm_test_83_pkg2";
268 std::string nonSharedROAppName2 = "sm_test_83_app3_will_be_sharedRO";
269 std::string nonSharedROPkgName2 = "sm_test_83_pkg3_will_be_sharedRO";
271 auto run_test = [&](std::string ver1, std::string ver2) {
272 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
273 ScopedInstaller anotherNonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver1, false));
274 ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName2, nonSharedROPkgName2, ver2, false));
275 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(),
276 anotherNonSharedROPkgApp.getAIH().getSharedRODir(),
277 nonSharedROPkgApp.getAIH().getSharedRODir()});
279 nonSharedROPkgApp.getAIH().createSharedRODir();
281 PathsRequest sharedRORequest;
282 sharedRORequest.setPkgId(nonSharedROPkgApp.getAIH().getPkgId());
283 sharedRORequest.addPath(nonSharedROPkgApp.getAIH().getSharedRODir(), SECURITY_MANAGER_PATH_OWNER_RW_OTHER_RO);
284 sharedRORequest.setUid(nonSharedROPkgApp.getAIH().getUID());
285 Api::registerPaths(sharedRORequest);
287 runAccessTest(nonSharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_SUCCESS);
289 runAccessTest(sharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
290 runAccessTest(sharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
292 runAccessTest(anotherNonSharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
293 runAccessTest(anotherNonSharedROPkgApp.getAIH(), nonSharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
296 for (const auto &version : versionCombinations)
297 run_test(version.first, version.second);
301 * Test 84 : Try to add path which does not belong
302 * to an app and check if operation succeeds.
304 RUNNER_CHILD_TEST(security_manager_84_add_invalid_path_to_app_and_check_all)
306 std::string sharedROAppName = "sm_test_84_app1_sharedRO";
307 std::string sharedROPkgName = "sm_test_84_pkg1_sharedRO";
308 std::string nonSharedROAppName = "sm_test_84_app2";
309 std::string nonSharedROPkgName = "sm_test_84_pkg2";
310 std::string nonSharedROAppName2 = "sm_test_84_app3_wont_be_sharedRO";
311 std::string nonSharedROPkgName2 = "sm_test_84_pkg3_wont_be_sharedRO";
313 auto run_test = [&](std::string ver1, std::string ver2) {
314 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
315 ScopedInstaller anotherNonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver1, false));
316 ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName2, nonSharedROPkgName2, ver2 ,false));
317 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(), anotherNonSharedROPkgApp.getAIH().getSharedRODir()});
319 PathsRequest sharedRORequest;
320 sharedRORequest.setPkgId(nonSharedROPkgApp.getAIH().getPkgId());
321 sharedRORequest.addPath(sharedROPkgApp.getAIH().getPrivateRODir(), SECURITY_MANAGER_PATH_RO);
322 sharedRORequest.setUid(nonSharedROPkgApp.getAIH().getUID());
323 Api::registerPaths(sharedRORequest, SECURITY_MANAGER_ERROR_AUTHENTICATION_FAILED);
326 for (const auto &version : versionCombinations)
327 run_test(version.first, version.second);
331 * Test 85 : Install and uninstall app and check accesses to
332 * uninstalled paths from other packages.
334 RUNNER_CHILD_TEST(security_manager_85_install_uninstall_shared_ro_app_and_check_cleaning)
336 std::string sharedROAppName = "sm_test_85_app1_sharedRO";
337 std::string sharedROPkgName = "sm_test_85_pkg1_sharedRO";
338 std::string sharedROAppName2 = "sm_test_85_app2_sharedRO";
339 std::string sharedROPkgName2 = "sm_test_85_pkg2_sharedRO";
340 std::string nonSharedROAppName = "sm_test_85_app3";
341 std::string nonSharedROPkgName = "sm_test_85_pkg3";
343 auto run_test = [&](std::string ver1, std::string ver2) {
344 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, true));
345 ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName2, ver2, true));
346 ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName, nonSharedROPkgName, ver2, false));
347 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir(), sharedROPkgApp2.getAIH().getSharedRODir()});
349 sharedROPkgApp.uninstallApp();
351 runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_ERROR);
352 runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
354 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_ERROR);
355 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_ERROR);
358 * After Deinstallation of an app, sharedRO dir
359 * still exists, but only owner app have an access (sharedRO rules are revoked)
362 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp.getAIH().getSharedRODir(), F_OK, ACCESS_SUCCESS);
365 for (const auto &version : versionCombinations)
366 run_test(version.first, version.second);
370 * Test 86 : Install multiple SharedRO apps,
371 * uninstall one of them and check accesses to sharedRO path
372 * within one package.
374 RUNNER_CHILD_TEST(security_manager_86_install_uninstall_shared_ro_two_apps_in_one_pkg)
376 std::string sharedROAppName = "sm_test_86_app1_sharedRO";
377 std::string sharedROPkgName = "sm_test_86_pkg1_sharedRO";
378 std::string sharedROAppName2 = "sm_test_86_app2_sharedRO";
379 std::string nonSharedROAppName = "sm_test_86_app3";
381 auto run_test = [&](std::string ver1, std::string ver2) {
382 ScopedInstaller sharedROPkgApp(prepAIH(sharedROAppName, sharedROPkgName, ver1, false));
383 ScopedInstaller sharedROPkgApp2(prepAIH(sharedROAppName2, sharedROPkgName, ver2, true));
384 ScopedInstaller nonSharedROPkgApp(prepAIH(nonSharedROAppName, sharedROPkgName, ver2, false));
385 ScopedPathRemover pathRemover({sharedROPkgApp.getAIH().getSharedRODir()});
387 sharedROPkgApp.uninstallApp();
389 runAccessTest(nonSharedROPkgApp.getAIH(), sharedROPkgApp2.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
390 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp2.getAIH().getSharedRODir(), F_OK, ACCESS_SUCCESS);
391 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp2.getAIH().getSharedRODir(), R_OK|X_OK, ACCESS_SUCCESS);
392 runAccessTest(sharedROPkgApp2.getAIH(), sharedROPkgApp2.getAIH().getSharedRODir(), R_OK|W_OK, ACCESS_SUCCESS);
395 for (const auto &version : versionCombinations)
396 run_test(version.first, version.second);