src/security-manager-tests/test_cases_trusted_sharing.cpp

   1 /*
   2  * Copyright (c) 2016 Samsung Electronics Co., Ltd All Rights Reserved
   3  *
   4  *    Licensed under the Apache License, Version 2.0 (the "License");
   5  *    you may not use this file except in compliance with the License.
   6  *    You may obtain a copy of the License at
   7  *
   8  *        http://www.apache.org/licenses/LICENSE-2.0
   9  *
  10  *    Unless required by applicable law or agreed to in writing, software
  11  *    distributed under the License is distributed on an "AS IS" BASIS,
  12  *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13  *    See the License for the specific language governing permissions and
  14  *    limitations under the License.
  15  */
  16
  17 #include <algorithm>
  18 #include <ftw.h>
  19 #include <string>
  20 #include <sys/smack.h>
  21 #include <vector>
  22
  23 #include <security-manager.h>
  24
  25 #include <app_install_helper.h>
  26 #include <dpl/test/test_runner.h>
  27 #include <sm_api.h>
  28 #include <sm_commons.h>
  29 #include <sm_db.h>
  30 #include <sm_request.h>
  31 #include <tests_common.h>
  32 #include <tzplatform.h>
  33
  34 using namespace SecurityManagerTest;
  35
  36 static const std::string SM_TRUSTED_PATH =
  37         TzPlatformConfig::globalAppDir() + "/sm_test_02_pkg_id_full/app_dir_trusted";
  38
  39 static void check_exact_access(const std::string& subject, const std::string& object, const std::string& access)
  40 {
  41     // check access
  42     if (!access.empty()) {
  43         int result = smack_have_access(subject.c_str(), object.c_str(), access.c_str());
  44         RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
  45         RUNNER_ASSERT_MSG(result == 1,
  46           "No smack access: " << subject << " " << object << " " << access);
  47     }
  48     // check excessive access
  49     auto foundInAccess = [&access](std::string::value_type c) {
  50         return access.find(c) != std::string::npos; };
  51
  52     std::string negative = "rwxatl";
  53     auto end = std::remove_if(negative.begin(), negative.end(), foundInAccess);
  54     negative.erase(end, negative.end());
  55
  56     for(const auto& c : negative) {
  57         int result = smack_have_access(subject.c_str(), object.c_str(), std::string(1, c).c_str());
  58         RUNNER_ASSERT_MSG(result >= 0, "smack_have_access failed");
  59         RUNNER_ASSERT_MSG(result == 0, "Unexpected access for" <<
  60             " subject:" << subject <<
  61             " object:" << object <<
  62             " right:" << std::string(1,c) <<
  63             " result:" << result <<
  64             " expected:0");
  65     }
  66 }
  67
  68 RUNNER_TEST_GROUP_INIT(SECURITY_MANAGER_TRUSTED_SHARING)
  69
  70 RUNNER_TEST(security_manager_40_set_wrong_author_id)
  71 {
  72     InstallRequest requestInst;
  73
  74     RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
  75         security_manager_app_inst_req_set_author_id(requestInst.get(), NULL));
  76
  77     RUNNER_ASSERT(SECURITY_MANAGER_ERROR_INPUT_PARAM ==
  78         security_manager_app_inst_req_set_author_id(requestInst.get(), ""));
  79 }
  80
  81 RUNNER_TEST(security_manager_41_set_author_id_multiple_times)
  82 {
  83     for(unsigned int i=0; i<10; ++i) {
  84         std::string authorId = "some-author-id" + std::to_string(i);
  85
  86         InstallRequest requestInst;
  87         requestInst.setAuthorId(authorId);
  88     }
  89 }
  90
  91 RUNNER_TEST(security_manager_43_app_install_with_trusted_path)
  92 {
  93     std::vector<AppInstallHelper> helper {{"app43a"}, {"app43b"}, {"app43c"}};
  94     auto &provider  = helper[0];
  95     auto &user      = helper[1];
  96     auto &untrusted = helper[2];
  97
  98     TestSecurityManagerDatabase dbtest;
  99     const char *author_id = "custom_author_id_test 41";
 100
 101     const char *const trusted_access = "rwxatl";
 102     const char *const system_access = "rwxatl";
 103
 104     int result;
 105
 106     // cleanup
 107     for (auto &e : helper) {
 108         e.revokeRules();
 109         e.createInstallDir();
 110         e.createTrustedDir();
 111     }
 112
 113     result = nftw(provider.getInstallDir().c_str(), &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
 114     RUNNER_ASSERT_MSG(result == 0, "Unable to set Smack labels in " << SM_TRUSTED_PATH);
 115
 116     // install app with shared/trusted dir
 117     InstallRequest trustingApp;
 118     trustingApp.setAppId(provider.getAppId());
 119     trustingApp.setPkgId(provider.getPkgId());
 120     trustingApp.setAuthorId("author id to be overwritten");
 121     trustingApp.setAuthorId(author_id);
 122     trustingApp.addPath(provider.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
 123     Api::install(trustingApp);
 124
 125     int64_t authorDb = dbtest.get_author_id(author_id);
 126     const std::string trusted_label = std::string("User::Author::") + std::to_string(authorDb);
 127
 128     // check trusted path label
 129     check_path(provider.getTrustedDir(), trusted_label);
 130
 131     // check rules
 132     check_exact_access("System", trusted_label, system_access);
 133     check_exact_access("User", trusted_label, system_access);
 134     check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
 135                        trusted_label, trusted_access);
 136     check_exact_access(generatePathRWLabel(provider.getPkgId()), trusted_label, "");
 137
 138     // install trusted app
 139     InstallRequest trustedApp;
 140     trustedApp.setAppId(user.getAppId());
 141     trustedApp.setPkgId(user.getPkgId());
 142     trustedApp.setAuthorId(author_id);
 143     Api::install(trustedApp);
 144
 145     // check rules
 146     check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
 147                        trusted_label, trusted_access);
 148     check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
 149
 150     // install untrusted app
 151     InstallRequest untrustedApp;
 152     untrustedApp.setAppId(untrusted.getAppId());
 153     untrustedApp.setPkgId(untrusted.getPkgId());
 154     Api::install(untrustedApp);
 155
 156     // check rules
 157     check_exact_access(generateProcessLabel(untrusted.getAppId(), untrusted.getPkgId()),
 158                        trusted_label, "");
 159     check_exact_access(generatePathRWLabel(untrusted.getPkgId()), trusted_label, "");
 160
 161     // uninstall trusting app
 162     Api::uninstall(trustingApp);
 163
 164     // there's still one app with author id, rules should be kept
 165     check_exact_access("System", trusted_label, system_access);
 166     check_exact_access("User", trusted_label, system_access);
 167     check_exact_access(generateProcessLabel(provider.getAppId(), provider.getPkgId()),
 168                        trusted_label, "");
 169     check_exact_access(generatePathRWLabel(provider.getPkgId()), trusted_label, "");
 170     check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
 171                        trusted_label, trusted_access);
 172     check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
 173
 174     Api::uninstall(trustedApp);
 175
 176     // no more apps with author id
 177     check_exact_access("System", trusted_label, "");
 178     check_exact_access("User", trusted_label, "");
 179     check_exact_access(generateProcessLabel(user.getAppId(), user.getPkgId()),
 180                        trusted_label, "");
 181     check_exact_access(generatePathRWLabel(user.getPkgId()), trusted_label, "");
 182
 183     Api::uninstall(untrustedApp);
 184 }
 185
 186
 187 RUNNER_TEST(security_manager_44_app_install_with_trusted_path_no_author_id)
 188 {
 189     AppInstallHelper help("app44");
 190     help.createInstallDir();
 191     help.createTrustedDir();
 192
 193     // install app with shared/trusted dir but without authors id
 194     InstallRequest app;
 195     app.setAppId(help.getAppId());
 196     app.setPkgId(help.getPkgId());
 197     app.addPath(help.getTrustedDir(), SECURITY_MANAGER_PATH_TRUSTED_RW);
 198     Api::install(app, SECURITY_MANAGER_ERROR_INPUT_PARAM);
 199 }
 200
 201 RUNNER_TEST(security_manager_45_test_authorId_identificator_creation)
 202 {
 203     std::vector<AppInstallHelper> helper {{"a45"}, {"b45"}};
 204     auto &trusted1 = helper[0];
 205     auto &trusted2 = helper[1];
 206
 207     TestSecurityManagerDatabase dbtest;
 208     const char *authorId1 = "custom_author_id_test a45";
 209     const char *authorId2 = "custom_author_id_test b45";
 210
 211     // cleanup
 212     for (auto &e : helper) {
 213         e.revokeRules();
 214         e.createInstallDir();
 215         e.createTrustedDir();
 216     }
 217
 218     // install app with shared/trusted dir
 219     InstallRequest trustingApp;
 220     trustingApp.setAppId(trusted1.getAppId());
 221     trustingApp.setPkgId(trusted1.getPkgId());
 222     trustingApp.setAuthorId(authorId1);
 223     trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
 224     Api::install(trustingApp);
 225
 226     int64_t authorDb1 = dbtest.get_author_id(authorId1);
 227
 228     // install trusted app
 229     InstallRequest trustedApp;
 230     trustedApp.setAppId(trusted2.getAppId());
 231     trustedApp.setPkgId(trusted2.getPkgId());
 232     trustedApp.setAuthorId(authorId2);
 233     Api::install(trustedApp);
 234
 235     int64_t authorDb2 = dbtest.get_author_id(authorId2);
 236
 237     Api::uninstall(trustingApp);
 238     Api::uninstall(trustedApp);
 239
 240     RUNNER_ASSERT(authorDb1 != authorDb2);
 241 }
 242
 243 RUNNER_TEST(security_manager_46_pkgId_deinstalation_test)
 244 {
 245     /* Description:
 246      * Lets assume that app1 and app2 are part of pkg1.
 247      * Deinstalation of app1 mustnot remove rules:
 248      * System PKG1Label rwxatl
 249      * User PKGLabel rwxatl
 250      */
 251
 252     std::vector<AppInstallHelper> helper {{"a46", "a46"}, {"b46", "a46"}};
 253     auto &trusted1 = helper[0];
 254     auto &trusted2 = helper[1];
 255
 256     std::string authorId1 = "author46XYZ";
 257
 258     for (auto &e : helper) {
 259         e.revokeRules();
 260         e.createInstallDir();
 261         e.createTrustedDir();
 262     }
 263
 264     InstallRequest trustingApp;
 265     trustingApp.setAppId(trusted1.getAppId());
 266     trustingApp.setPkgId(trusted1.getPkgId());
 267     trustingApp.setAuthorId(authorId1);
 268     trustingApp.addPath(trusted1.getTrustedDir().c_str(), SECURITY_MANAGER_PATH_TRUSTED_RW);
 269     Api::install(trustingApp);
 270
 271     InstallRequest trustingApp2;
 272     trustingApp2.setAppId(trusted2.getAppId());
 273     trustingApp2.setPkgId(trusted2.getPkgId());
 274     trustingApp2.setAuthorId(authorId1);
 275     Api::install(trustingApp2);
 276
 277     check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
 278                        "rwxl");
 279     check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
 280                         "rwxl");
 281     check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
 282     check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
 283     check_exact_access("System", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()),
 284                        "rwxl");
 285     check_exact_access("User", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()),
 286                        "rwxl");
 287
 288     Api::uninstall(trustingApp2);
 289
 290     check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
 291                        "rwxl");
 292     check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()),
 293                        "rwxl");
 294     check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
 295     check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "rwxatl");
 296     check_exact_access("System", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()), "");
 297     check_exact_access("User", generateProcessLabel(trusted2.getAppId(), trusted2.getPkgId()), "");
 298
 299     Api::uninstall(trustingApp);
 300
 301     check_exact_access("System", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()), "");
 302     check_exact_access("User", generateProcessLabel(trusted1.getAppId(), trusted1.getPkgId()), "");
 303     check_exact_access("System", generatePathRWLabel(trusted1.getPkgId()), "");
 304     check_exact_access("User", generatePathRWLabel(trusted1.getPkgId()), "");
 305 }