2 * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
20 #include <sys/smack.h>
23 #include <security-manager.h>
25 #include <app_install_helper.h>
26 #include <dpl/test/test_runner.h>
28 #include <sm_commons.h>
30 #include <sm_request.h>
31 #include <tests_common.h>
32 #include <tzplatform.h>
34 using namespace SecurityManagerTest;
36 static const std::string SM_TRUSTED_PATH =
37 TzPlatformConfig::globalAppDir() + "/sm_test_02_pkg_id_full/app_dir_trusted";
39 static void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
42 if (!access.empty()) {
43 int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str());
44 RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
45 RUNNER_ASSERT_MSG(result == 1,
46 "No smack access: " << subject << " " << object << " " << access);
48 // check excessive access
49 auto foundInAccess = [&access](std::string::value_type c) {
50 return access.find(c) != std::string::npos; };
52 std::string negative = "rwxatl";
53 auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess);
54 negative.erase(end, negative.end());
56 for(const auto& c : negative) {
57 int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
58 RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
59 RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
60 " subject:" << subject <<
61 " object:" << object <<
62 " right:" << std::string(1,c) <<
63 " result:" << result <<
68 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
70 RUNNER_TEST(security_manager_40_set_wrong_author_id)
72 InstallRequest requestInst;
74 RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
75 security_manager_app_inst_req_set_author_id(requestInst.get(), NULL));
77 RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
78 security_manager_app_inst_req_set_author_id(requestInst.get(), ""));
81 RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
83 for(unsigned int i=0; i<10; ++i) {
84 std::string authorId = "some-author-id" + std::to_string(i);
86 InstallRequest requestInst;
87 requestInst.setAuthorId(authorId);
91 RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
93 std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
94 auto &provider = helper[0];
95 auto &user = helper[1];
96 auto &untrusted = helper[2];
98 TestSecurityManagerDatabase dbtest;
99 const char *author_id = "custom_author_id_test 41";
101 const char *const trusted_access = "rwxatl";
102 const char *const system_access = "rwxatl";
107 for (auto &e : helper) {
109 e.createInstallDir();
110 e.createTrustedDir();
113 result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
114 RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
116 // install app with shared/trusted dir
117 InstallRequest trustingApp;
118 trustingApp.setAppId(provider.getAppId());
119 trustingApp.setPkgId(provider.getPkgId());
120 trustingApp.setAuthorId("author id to be overwritten");
121 trustingApp.setAuthorId(author_id);
122 trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
123 Api::install(trustingApp);
125 int64_t authorDb = dbtest.get_author_id(author_id);
126 const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
128 // check trusted path label
129 check_path(provider.getTrustedDir(), trusted_label);
132 check_exact_access("System", trusted_label, system_access);
133 check_exact_access("User", trusted_label, system_access);
134 check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
135 trusted_label, trusted_access);
136 check_exact_access(generatePathRWLabel(provider.getPkgId()), trusted_label, "");
138 // install trusted app
139 InstallRequest trustedApp;
140 trustedApp.setAppId(user.getAppId());
141 trustedApp.setPkgId(user.getPkgId());
142 trustedApp.setAuthorId(author_id);
143 Api::install(trustedApp);
146 check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
147 trusted_label, trusted_access);
148 check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
150 // install untrusted app
151 InstallRequest untrustedApp;
152 untrustedApp.setAppId(untrusted.getAppId());
153 untrustedApp.setPkgId(untrusted.getPkgId());
154 Api::install(untrustedApp);
157 check_exact_access(generateProcessLabel(untrusted.getAppId(), untrusted.getPkgId()),
159 check_exact_access(generatePathRWLabel(untrusted.getPkgId()), trusted_label, "");
161 // uninstall trusting app
162 Api::uninstall(trustingApp);
164 // there's still one app with author id, rules should be kept
165 check_exact_access("System", trusted_label, system_access);
166 check_exact_access("User", trusted_label, system_access);
167 check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
169 check_exact_access(generatePathRWLabel(provider.getPkgId()), trusted_label, "");
170 check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
171 trusted_label, trusted_access);
172 check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
174 Api::uninstall(trustedApp);
176 // no more apps with author id
177 check_exact_access("System", trusted_label, "");
178 check_exact_access("User", trusted_label, "");
179 check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
181 check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
183 Api::uninstall(untrustedApp);
187 RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
189 AppInstallHelper help("app44");
190 help.createInstallDir();
191 help.createTrustedDir();
193 // install app with shared/trusted dir but without authors id
195 app.setAppId(help.getAppId());
196 app.setPkgId(help.getPkgId());
197 app.addPath(help.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
198 Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
201 RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
203 std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
204 auto &trusted1 = helper[0];
205 auto &trusted2 = helper[1];
207 TestSecurityManagerDatabase dbtest;
208 const char *authorId1 = "custom_author_id_test a45";
209 const char *authorId2 = "custom_author_id_test b45";
212 for (auto &e : helper) {
214 e.createInstallDir();
215 e.createTrustedDir();
218 // install app with shared/trusted dir
219 InstallRequest trustingApp;
220 trustingApp.setAppId(trusted1.getAppId());
221 trustingApp.setPkgId(trusted1.getPkgId());
222 trustingApp.setAuthorId(authorId1);
223 trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
224 Api::install(trustingApp);
226 int64_t authorDb1 = dbtest.get_author_id(authorId1);
228 // install trusted app
229 InstallRequest trustedApp;
230 trustedApp.setAppId(trusted2.getAppId());
231 trustedApp.setPkgId(trusted2.getPkgId());
232 trustedApp.setAuthorId(authorId2);
233 Api::install(trustedApp);
235 int64_t authorDb2 = dbtest.get_author_id(authorId2);
237 Api::uninstall(trustingApp);
238 Api::uninstall(trustedApp);
240 RUNNER_ASSERT(authorDb1 != authorDb2);
243 RUNNER_TEST(security_manager_46_pkgId_deinstalation_test)
246 * Lets assume that app1 and app2 are part of pkg1.
247 * Deinstalation of app1 mustnot remove rules:
248 * System PKG1Label rwxatl
249 * User PKGLabel rwxatl
252 std::vector<AppInstallHelper> helper {{"a46", "a46"}, {"b46", "a46"}};
253 auto &trusted1 = helper[0];
254 auto &trusted2 = helper[1];
256 std::string authorId1 = "author46XYZ";
258 for (auto &e : helper) {
260 e.createInstallDir();
261 e.createTrustedDir();
264 InstallRequest trustingApp;
265 trustingApp.setAppId(trusted1.getAppId());
266 trustingApp.setPkgId(trusted1.getPkgId());
267 trustingApp.setAuthorId(authorId1);
268 trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
269 Api::install(trustingApp);
271 InstallRequest trustingApp2;
272 trustingApp2.setAppId(trusted2.getAppId());
273 trustingApp2.setPkgId(trusted2.getPkgId());
274 trustingApp2.setAuthorId(authorId1);
275 Api::install(trustingApp2);
277 check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
279 check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
281 check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
282 check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
283 check_exact_access("System", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()),
285 check_exact_access("User", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()),
288 Api::uninstall(trustingApp2);
290 check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
292 check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
294 check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
295 check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
296 check_exact_access("System", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()), "");
297 check_exact_access("User", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()), "");
299 Api::uninstall(trustingApp);
301 check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()), "");
302 check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()), "");
303 check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "");
304 check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "");