Clean up libprivilege-control test cases

[platform/core/test/security-tests.git] / tests / libprivilege-control-tests / libprivilege-control_test_common.cpp

/*
 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
 *
 *    Licensed under the Apache License, Version 2.0 (the "License");
 *    you may not use this file except in compliance with the License.
 *    You may obtain a copy of the License at
 *
 *        http://www.apache.org/licenses/LICENSE-2.0
 *
 *    Unless required by applicable law or agreed to in writing, software
 *    distributed under the License is distributed on an "AS IS" BASIS,
 *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *    See the License for the specific language governing permissions and
 *    limitations under the License.
 */
/**
 * @file    libprivilege-control-test.cpp
 * @author  Jan Olszak (j.olszak@samsung.com)
 * @version 1.0
 * @brief   Main file for libprivilege-control unit tests.
 */

#include <string>
#include <set>
#include <libprivilege-control_test_common.h>
#include <sys/smack.h>
#include <dpl/test/test_runner.h>

#define CANARY_LABEL             "tiny_yellow_canary"

const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };

const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };

const char* PRIV_APPSETTING[] {"org.tizen.privilege.appsetting", NULL};

void cleaning_smack_app_files (void)
{
    unlink(SMACK_RULES_DIR APP_TEST_APP_1);
    unlink(SMACK_RULES_DIR APP_TEST_APP_2);
    unlink(SMACK_RULES_DIR APP_TEST_APP_3);
    unlink(SMACK_RULES_DIR APP_TEST_AV_1);
    unlink(SMACK_RULES_DIR APP_TEST_AV_2);
    unlink(SMACK_RULES_DIR APP_TEST_AV_3);
}

/**
 * Check if every rule is true.
 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
 */
int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules)
{
    int result;
    for (uint i = 0; i < rules.size(); ++i) {
        result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
        if (result != 1)
            return result;
    }
    return 1;
}

/**
 * Check if every rule is true.
 * @return 1 if ANY rule in SMACK, 0 if
 */
int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules)
{
    int result;
    for (uint i = 0; i < rules.size(); ++i) {
        result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
        if (result == 1)
            return 1;
    }
    return 0;
}

void read_gids(std::set<unsigned> &set, const char *file_path)
{
    FILE *f = fopen(file_path, "r");
    RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
    unsigned gid;
    while (fscanf(f, "%u\n", &gid) == 1) {
        set.insert(gid);
    }
}

void check_groups(const char *dac_file)
{
    std::set<unsigned> groups_check;
    read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
    read_gids(groups_check, dac_file);

    int groups_cnt = getgroups(0, NULL);
    RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
    gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
    RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
    RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));

    for (int i = 0; i < groups_cnt; ++i) {
        //getgroups() can return multiple number of the same group
        //they are returned in sequence, so we will given number when last
        //element of this number is reached
        if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
            continue;
        if (groups_check.erase(groups_list[i]) == 0) {
            // getgroups() may also return process' main group
            if (groups_list[i] != getgid())
                RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
        }
    }
    free(groups_list);
    std::string groups_left;
    for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
        groups_left.append(std::to_string(*it)).append(" ");
    }
    RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
}

int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
                       int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
    smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
    smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
    smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);

    return 0;
}

int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
                               int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
    int result;
    char *label;

    /* ACCESS */
    result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
    RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
    RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
    result = strcmp(APPID_DIR, label);
    RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");

    /* EXEC */
    result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
    RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
    if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
        RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
        result = strcmp(APPID_DIR, label);
        RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
    } else if (S_ISLNK(sb->st_mode)) {
        struct stat buf;
        char *target = realpath(fpath, NULL);
        RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
        free(target);
        if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
            RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
        } else {
            RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
            result = strcmp(APPID_DIR, label);
            RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
        }
    } else
        RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");

    /* TRANSMUTE */
    result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
    RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
    RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");

    return 0;
 }

int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
                                int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
    smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
    smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
    smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);

    return 0;
}

int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
                                  int /*typeflag*/, struct FTW* /*ftwbuf*/)
{
    int result;
    char *label;

    /* ACCESS */
    result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
    RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
    result = strcmp(CANARY_LABEL, label);
    RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");

    /* EXEC */
    result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
    RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
    result = strcmp(CANARY_LABEL, label);
    RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");

    /* TRANSMUTE */
    result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
    RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
    RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");

    return 0;
}