2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
21 * @author Lukasz Wojciechowski (l.wojciechow@partner.samsung.com)
23 * @brief libprivilege-control test runner
36 #include <sys/types.h>
39 #include <sys/socket.h>
41 #include <sys/smack.h>
43 #include <privilege-control.h>
44 #include <dpl/test/test_runner.h>
45 #include <dpl/test/test_runner_child.h>
46 #include <dpl/test/test_runner_multiprocess.h>
47 #include <dpl/log/log.h>
48 #include <tests_common.h>
49 #include <libprivilege-control_test_common.h>
50 #include "common/duplicates.h"
51 #include "common/db.h"
54 // Error codes for test_libprivilege_strerror
55 const std::vector<int> error_codes {
56 PC_OPERATION_SUCCESS, PC_ERR_FILE_OPERATION, PC_ERR_MEM_OPERATION, PC_ERR_NOT_PERMITTED,
57 PC_ERR_INVALID_PARAM, PC_ERR_INVALID_OPERATION, PC_ERR_DB_OPERATION, PC_ERR_DB_LABEL_TAKEN,
58 PC_ERR_DB_QUERY_PREP, PC_ERR_DB_QUERY_BIND, PC_ERR_DB_QUERY_STEP, PC_ERR_DB_CONNECTION,
59 PC_ERR_DB_NO_SUCH_APP, PC_ERR_DB_PERM_FORBIDDEN
64 std::vector<std::string> gen_names(std::string prefix, std::string suffix, size_t size)
66 std::vector<std::string> names;
67 for(size_t i = 0; i < size; ++i) {
68 names.push_back(prefix + "_" + std::to_string(i) + suffix);
73 const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
74 const char *WRT_BLAHBLAH ="/usr/share/privilege-control/WGT_blahblah.smack";
75 const char *OTHER_BLAHBLAH ="/usr/share/privilege-control/blahblah.smack";
76 const std::vector<std::string> OSP_BLAHBLAH_DAC = gen_names("/usr/share/privilege-control/OSP_feature.blah.blahblah", ".dac", 16);
77 const char *WRT_BLAHBLAH_DAC ="/usr/share/privilege-control/WGT_blahblah.dac";
78 const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
79 const std::vector<std::string> BLAHBLAH_FEATURE = gen_names("http://feature/blah/blahblah", "", 16);
81 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
82 int /*typeflag*/, struct FTW* /*ftwbuf*/)
88 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
89 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
90 RUNNER_ASSERT_MSG_BT(label != NULL, "ACCESS label on " << fpath << " is not set");
91 result = strcmp(APPID_SHARED_DIR, label);
92 RUNNER_ASSERT_MSG_BT(result == 0, "ACCESS label on " << fpath << " is incorrect");
94 result = smack_have_access(USER_APP_ID, APPID_SHARED_DIR, "rwxatl");
95 RUNNER_ASSERT_MSG_BT(result == 1,
96 "Error rwxatl access was not given shared dir. Subject: " <<
97 USER_APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
99 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
100 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
101 RUNNER_ASSERT_MSG_BT(label == NULL, "EXEC label on " << fpath << " is set");
104 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
105 RUNNER_ASSERT_MSG_BT(result == 0, "Could not get label for the path");
106 if (S_ISDIR(sb->st_mode)) {
107 RUNNER_ASSERT_MSG_BT(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
108 result = strcmp("TRUE", label);
109 RUNNER_ASSERT_MSG_BT(result == 0, "TRANSMUTE label on " << fpath << " is not set");
111 RUNNER_ASSERT_MSG_BT(label == NULL, "TRANSMUTE label on " << fpath << " is set");
116 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids, std::string dac_file_path)
118 std::ifstream dac_file(dac_file_path);
119 RUNNER_ASSERT_MSG_BT(dac_file, "Line: " << line_no << " Failed to create " << dac_file_path);
121 auto it = gids.begin();
123 while (std::getline(dac_file,line)) {
124 std::istringstream is(line);
127 RUNNER_ASSERT_MSG_BT(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
128 RUNNER_ASSERT_MSG_BT(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
132 RUNNER_ASSERT_MSG_BT(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
137 void remove_smack_files()
140 unlink(OSP_BLAHBLAH);
141 unlink(WRT_BLAHBLAH);
142 unlink(OTHER_BLAHBLAH);
143 unlink(WRT_BLAHBLAH_DAC);
144 unlink(OTHER_BLAHBLAH_DAC);
146 for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
147 unlink(OSP_BLAHBLAH_DAC[i].c_str());
149 for(size_t i=0; i<OSP_BLAHBLAH_DAC.size(); ++i)
150 unlink(OSP_BLAHBLAH_DAC[i].c_str());
155 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
158 * Test setting labels for all files and folders in given path.
160 RUNNER_TEST(privilege_control02_app_label_dir)
164 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
165 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
167 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
168 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
172 result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
173 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
177 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
178 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for app dir");
180 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
181 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
184 RUNNER_TEST_SMACK(privilege_control03_app_label_shared_dir)
190 result = perm_app_install(APP_ID);
191 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
193 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, USER_APP_ID);
194 RUNNER_ASSERT_MSG_BT(result != 0, "perm_app_setup_path(APP_ID, USER_APP_ID) didn't fail");
198 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
199 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
201 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
202 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
206 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
207 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_setup_path() failed");
211 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
212 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for shared app dir");
214 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
215 RUNNER_ASSERT_MSG_BT(result == 0, "Unable to check Smack labels for non-app dir");
219 result = perm_app_uninstall(APP_ID);
220 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
226 * Revoke permissions from the list. Should be executed as privileged user.
228 RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_wgt)
230 test_revoke_permissions(__LINE__, WGT_APP_ID);
234 * Revoke permissions from the list. Should be executed as privileged user.
236 RUNNER_CHILD_TEST_SMACK(privilege_control06_revoke_permissions_osp)
238 test_revoke_permissions(__LINE__, OSP_APP_ID);
241 void test_set_app_privilege(
242 const char* app_id, app_type_t APP_TYPE,
243 const char** privileges, const char* type,
244 const char* app_path, const char* dac_file,
245 const rules_t &rules) {
246 check_app_installed(app_path);
252 result = perm_app_uninstall(app_id);
253 RUNNER_ASSERT_MSG_BT(result == 0,
254 " perm_app_uninstall returned " << result << ". "
255 "Errno: " << strerror(errno));
257 result = perm_app_install(app_id);
258 RUNNER_ASSERT_MSG_BT(result == 0,
259 " perm_app_install returned " << result << ". "
260 "Errno: " << strerror(errno));
263 result = perm_app_enable_permissions(app_id, APP_TYPE, privileges, false);
264 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
265 " Error registering app permissions. Result: " << result);
269 result = test_have_all_accesses(rules);
270 RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
272 std::set<unsigned> groups_before;
273 read_user_gids(groups_before, APP_UID);
275 result = perm_app_set_privilege(app_id, type, app_path);
276 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
277 " Error in perm_app_set_privilege. Error: " << result);
279 // Check if SMACK label really set
281 result = smack_new_label_from_self(&label);
282 RUNNER_ASSERT_MSG_BT(result >= 0,
283 " Error getting current process label");
284 RUNNER_ASSERT_MSG_BT(label != NULL,
285 " Process label is not set");
287 result = strcmp(USER_APP_ID, label);
288 RUNNER_ASSERT_MSG_BT(result == 0,
289 " Process label " << label << " is incorrect");
291 check_groups(groups_before, dac_file);
295 * Set APP privileges. wgt.
297 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_wgt)
299 test_set_app_privilege(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, "wgt", WGT_APP_PATH,
300 LIBPRIVILEGE_TEST_DAC_FILE_WGT, rules_wgt);
304 * Set APP privileges. osp app.
306 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_osp)
308 test_set_app_privilege(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, "tpk", OSP_APP_PATH,
309 LIBPRIVILEGE_TEST_DAC_FILE_OSP, rules_osp);
312 RUNNER_CHILD_TEST_SMACK(privilege_control05_set_app_privilege_efl)
314 test_set_app_privilege(EFL_APP_ID, APP_TYPE_EFL, PRIVS_EFL,
316 LIBPRIVILEGE_TEST_DAC_FILE_EFL, rules_efl);
320 * Add new API feature
322 RUNNER_TEST(privilege_control11_add_api_feature)
326 remove_smack_files();
330 // argument validation
331 result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
332 RUNNER_ASSERT_BT(result == PC_ERR_INVALID_PARAM);
334 result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0);
335 RUNNER_ASSERT_BT(result == PC_ERR_INVALID_PARAM);
338 // Already existing feature:
339 // TODO: Database will be malformed. (Rules for these features will be removed.)
340 result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0);
341 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
343 result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0);
344 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
347 result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0);
348 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
350 result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0);
351 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
354 const char *test1[] = { NULL };
355 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[0].c_str(), test1, NULL, 0);
356 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
358 const char *test2[] = { "", NULL };
359 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[1].c_str(), test2, NULL, 0);
360 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
362 const char *test3[] = { " \t\n", "\t \n", "\n\t ", NULL };
363 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[2].c_str(), test3, NULL, 0);
364 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
367 const char *test4[] = { "malformed", NULL };
368 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[3].c_str(), test4, NULL, 0);
369 RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
371 const char *test5[] = { "malformed malformed", NULL };
372 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[4].c_str(), test5, NULL, 0);
373 RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
375 const char *test6[] = { "-malformed malformed rwxat", NULL };
376 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[5].c_str(), test6, NULL, 0);
377 RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
379 const char *test7[] = { "~/\"\\ malformed rwxat", NULL };
380 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[6].c_str(), test7, NULL, 0);
381 RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
383 const char *test8[] = { "subject object rwxat something else", NULL };
384 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[7].c_str(), test8, NULL, 0);
385 RUNNER_ASSERT_MSG_BT(result == PC_ERR_INVALID_PARAM, "perm_add_api_feature returned: " << result);
389 const char *test9[] = {
390 "~APP~ object\t rwxatl",
392 "subject2\t~APP~ ltxarw",
396 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[8].c_str(), test9, NULL, 0);
397 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
399 const char *test10[] = { "Sub::jE,ct ~APP~ a-rwxl", NULL };
400 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[9].c_str(), test10, NULL, 0);
401 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
403 const char *test11[] = { "Sub::sjE,ct ~APP~ a-RwXL", NULL }; // TODO This fails.
404 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[10].c_str(), test11, NULL, 0);
405 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
408 // TODO For now identical/complementary rules are not merged.
409 const char *test12[] = {
410 "subject1 ~APP~ rwxatl",
412 "subject2 ~APP~ ltxarw",
415 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[11].c_str(), test12, NULL, 0);
416 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
419 const char *test13[] = { "~APP~ b a", NULL};
420 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[12].c_str(), test13,(const gid_t[]) {0,1,2},0);
421 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
422 result = file_exists(OSP_BLAHBLAH_DAC[12].c_str());
423 RUNNER_ASSERT_BT(result == -1);
424 remove_smack_files();
428 result = perm_add_api_feature(APP_TYPE_OSP,BLAHBLAH_FEATURE[13].c_str(), test13,(const gid_t[]) {0,1,2},3);
429 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
430 osp_blahblah_dac_check(__LINE__, {0,1,2}, OSP_BLAHBLAH_DAC[13]);
431 remove_smack_files();
433 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[14].c_str(), test13,(const gid_t[]) {0,1,2},1);
434 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
435 osp_blahblah_dac_check(__LINE__, {0}, OSP_BLAHBLAH_DAC[14]);
436 remove_smack_files();
438 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE[15].c_str(), test13,(const gid_t[]) {1,1,1},3);
439 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_add_api_feature returned: " << result);
440 osp_blahblah_dac_check(__LINE__, {1,1,1},OSP_BLAHBLAH_DAC[15]);
441 remove_smack_files();
447 * Check perm_app_uninstall function
449 void check_perm_app_uninstall(const char* pkg_id)
455 result = perm_app_uninstall(pkg_id);
456 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned: " << perm_strerror(result));
461 RUNNER_TEST(privilege_control07_app_uninstall)
463 check_perm_app_uninstall(APP_ID);
467 * Check perm_app_install function
469 void check_perm_app_install(const char* pkg_id)
475 result = perm_app_install(pkg_id);
476 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result));
480 TestLibPrivilegeControlDatabase db_test;
481 db_test.test_db_after__perm_app_install(USER_APP_ID);
484 RUNNER_TEST(privilege_control01_app_install)
486 check_perm_app_uninstall(APP_ID);
487 check_perm_app_install(APP_ID);
488 // try install second time app with the same ID - it should pass.
489 check_perm_app_install(APP_ID);
493 * Check perm_rollback function
495 RUNNER_TEST(privilege_control07_app_rollback)
497 check_perm_app_uninstall(APP_ID);
503 result = perm_app_install(APP_ID);
504 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result));
506 // transaction rollback
507 result = perm_rollback();
508 RUNNER_ASSERT_MSG_BT(result == 0, "perm_rollback returned: " << perm_strerror(result));
513 RUNNER_TEST(privilege_control07_app_rollback_2)
515 check_perm_app_uninstall(APP_ID);
521 result = perm_app_install(APP_ID);
522 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result));
524 // transaction rollback
525 result = perm_rollback();
526 RUNNER_ASSERT_MSG_BT(result == 0, "perm_rollback returned: " << perm_strerror(result));
528 // install once again after the rollback
529 result = perm_app_install(APP_ID);
530 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned: " << perm_strerror(result));
534 TestLibPrivilegeControlDatabase db_test;
535 db_test.test_db_after__perm_app_install(USER_APP_ID);
539 * Grant SMACK permissions based on permissions list.
541 RUNNER_TEST_SMACK(privilege_control11_app_enable_permissions)
545 // Clean up after test:
548 result = perm_app_uninstall(WGT_APP_ID);
549 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
550 result = perm_app_install(WGT_APP_ID);
551 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
554 * Test - Enabling all permissions with persistant mode enabled
556 result = perm_app_revoke_permissions(WGT_APP_ID);
557 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
558 "Error revoking app permissions. Result: " << result);
560 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
561 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
562 " Error registering app permissions. Result: " << result);
566 // Check if the accesses are realy applied..
567 result = test_have_all_accesses(rules2);
568 RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
573 result = perm_app_revoke_permissions(WGT_APP_ID);
574 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
575 "Error revoking app permissions. Result: " << result);
580 * Test - Enabling all permissions with persistant mode disabled
584 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
585 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
586 " Error registering app permissions. Result: " << result);
588 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
589 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
590 " Error enabling app permissions. Result: " << result);
594 // Check if the accesses are realy applied..
595 result = test_have_all_accesses(rules2);
596 RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
601 result = perm_app_revoke_permissions(WGT_APP_ID);
602 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
603 "Error revoking app permissions. Result: " << result);
608 * Test - Registering new permissions in two complementary files
613 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R, false);
614 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
615 " Error registering app permissions. Result: " << result);
619 // Check if the accesses are realy applied..
620 result = test_have_all_accesses(rules2_no_r);
621 RUNNER_ASSERT_MSG_BT(result == 1, "Permissions not added.");
626 result = perm_app_revoke_permissions(WGT_APP_ID);
627 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
628 "Error revoking app permissions. Result: " << result);
633 * Test - Enabling some permissions and then enabling complementary permissions
638 // Register permission for rules 2 no r
639 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
640 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
641 " Error registering app permissions without r. Result: " << result);
645 // Check if the accesses are realy applied..
646 result = test_have_all_accesses(rules2_no_r);
647 RUNNER_ASSERT_MSG_BT(result == 1, "Permissions without r not added.");
651 // Register permission for rules 2
652 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, false);
653 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
654 " Error registering app all permissions. Result: " << result);
658 // Check if the accesses are realy applied..
659 result = test_have_all_accesses(rules2);
660 RUNNER_ASSERT_MSG_BT(result == 1, "Permissions all not added.");
665 result = perm_app_revoke_permissions(WGT_APP_ID);
666 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
667 "Error revoking app permissions. Result: " << result);
670 * Test - Enabling some permissions and then enabling all permissions
673 // Enable permission for rules 2 no r
674 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
675 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
676 " Error registering app permissions without r. Result: " << result);
680 // Check if the accesses are realy applied..
681 result = test_have_all_accesses(rules2_no_r);
682 RUNNER_ASSERT_MSG_BT(result == 1, "Permissions without r not added.");
686 // Enable permission for rules 2
687 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
688 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
689 " Error registering app permissions with only r. Result: " << result);
693 // Check if the accesses are realy applied..
694 result = test_have_all_accesses(rules2_r);
695 RUNNER_ASSERT_MSG_BT(result == 1, "Permissions with only r not added.");
700 result = perm_app_revoke_permissions(WGT_APP_ID);
701 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
702 "Error revoking app permissions. Result: " << result);
706 // Clean up after test:
707 result = perm_app_uninstall(WGT_APP_ID);
708 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
713 RUNNER_CHILD_TEST_SMACK(privilege_control11_app_enable_permissions_efl)
715 test_app_enable_permissions_efl(true);
719 * Check perm_app_install function
721 RUNNER_CHILD_TEST_SMACK(privilege_control12_app_disable_permissions_efl)
723 test_app_disable_permissions_efl(true);
728 * Remove previously granted SMACK permissions based on permissions list.
730 RUNNER_TEST_SMACK(privilege_control12_app_disable_permissions)
732 test_app_disable_permissions(true);
736 * Reset SMACK permissions for an application by revoking all previously
737 * granted rules and enabling them again from a rules file from disk.
739 // TODO: This test is incomplete.
740 RUNNER_TEST_SMACK(privilege_control13_app_reset_permissions)
745 * Test - doing reset and checking if rules exist again.
750 result = perm_app_install(WGT_APP_ID);
751 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
753 // Disable permissions
754 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
755 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
756 "Error disabling app permissions. Result: " << result);
758 // Prepare permissions to reset
759 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2, true);
760 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
761 " Error registering app permissions. Result: " << result);
764 result = perm_app_reset_permissions(WGT_APP_ID);
765 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
766 "Error reseting app permissions. Result: " << result);
770 // Are all second permissions not disabled?
771 result = test_have_all_accesses(rules2);
772 RUNNER_ASSERT_MSG_BT(result == 1, "Not all permissions added.");
776 // Disable permissions
777 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2);
778 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
779 "Error disabling app permissions. Result: " << result);
781 result = perm_app_uninstall(WGT_APP_ID);
782 RUNNER_ASSERT_MSG_BT(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
787 static void smack_set_random_label_based_on_pid_on_self(void)
790 std::stringstream ss;
792 ss << "s-" << getpid() << "-" << getppid();
793 result = smack_set_label_for_self(ss.str().c_str());
794 RUNNER_ASSERT_MSG_BT(result == 0, "smack_set_label_for_self("
795 << ss.str().c_str() << ") failed");
798 static void smack_unix_sock_server(int sock)
804 fd = accept(sock, NULL, NULL);
808 result = smack_new_label_from_self(&smack_label);
813 RUNNER_ASSERT_MSG_BT(0, "smack_new_label_from_self() failed");
815 result = write(fd, smack_label, strlen(smack_label));
816 if (result != (int)strlen(smack_label)) {
820 RUNNER_ASSERT_MSG_BT(0, "write() failed: " << strerror(errno));
826 RUNNER_MULTIPROCESS_TEST_SMACK(privilege_control15_app_id_from_socket)
829 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
833 RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
835 smack_set_random_label_based_on_pid_on_self();
837 if (!pid) { /* child process, server */
840 /* Set the process label before creating a socket */
841 sock = socket(AF_UNIX, SOCK_STREAM, 0);
842 RUNNER_ASSERT_MSG_BT(sock >= 0, "socket failed: " << strerror(errno));
844 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
847 RUNNER_ASSERT_MSG_BT(0, "bind failed: " << strerror(errno));
849 result = listen(sock, 1);
852 RUNNER_ASSERT_MSG_BT(0, "listen failed: " << strerror(errno));
854 smack_unix_sock_server(sock);
856 /* Change the process label with listening socket */
857 smack_unix_sock_server(sock);
860 RUNNER_ASSERT_MSG_BT(pid >= 0, "Fork failed");
861 /* Now running two concurrent servers.
862 Test if socket label was unaffected by fork() */
863 smack_unix_sock_server(sock);
864 /* Let's give the two servers different labels */
865 smack_unix_sock_server(sock);
869 } else { /* parent process, client */
870 sleep(1); /* Give server some time to setup listening socket */
872 for (i = 0; i < 4; ++i) {
875 char smack_label1[SMACK_LABEL_LEN + 1];
878 sock = socket(AF_UNIX, SOCK_STREAM, 0);
879 RUNNER_ASSERT_MSG_BT(sock >= 0,
880 "socket failed: " << strerror(errno));
881 result = connect(sock,
882 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
885 RUNNER_ASSERT_MSG_BT(0, "connect failed: " << strerror(errno));
889 result = read(sock, smack_label1, SMACK_LABEL_LEN);
893 RUNNER_ASSERT_MSG_BT(0, "read failed: " << strerror(errno));
895 smack_label1[result] = '\0';
896 smack_label2 = perm_app_id_from_socket(sock);
897 if (smack_label2 == NULL) {
899 RUNNER_ASSERT_MSG_BT(0, "perm_app_id_from_socket failed");
901 result = strcmp(smack_label1, smack_label2);
904 RUNNER_ASSERT_MSG_BT(0, "smack labels differ: '" << smack_label1
905 << "' != '" << smack_label2 << "-" << random() << "'");
912 RUNNER_TEST(privilege_control16_app_setup_path){
913 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
914 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
915 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
916 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
917 const char *label1 = "qwert123456za";
918 const char *label2 = "trewq654123az";
925 int fd = creat(path3, S_IRWXU);
928 fd = creat(path4, S_IRWXU);
936 RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
940 RUNNER_ASSERT_BT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
941 labelPtr.reset(label);
943 RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label1));
947 RUNNER_ASSERT_BT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
951 RUNNER_ASSERT_BT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
952 labelPtr.reset(label);
954 RUNNER_ASSERT_BT(0 == strcmp(labelPtr.get(), label2));
956 RUNNER_ASSERT_BT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
957 labelPtr.reset(label);
959 RUNNER_ASSERT_BT(labelPtr.get() == NULL);
962 RUNNER_TEST_SMACK(privilege_control17_appsettings_privilege)
964 test_appsettings_privilege(true);
967 void test_app_setup_path(int line_no, app_path_type_t PATH_TYPE) {
972 result = perm_app_uninstall(APP_ID);
973 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
974 " Error in perm_app_uninstall." << result);
976 result = perm_app_install(APP_ID);
977 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
978 " Error in perm_app_install." << result);
982 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
983 RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
984 " Unable to clean up Smack labels in " << TEST_APP_DIR);
986 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
987 RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
988 " Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
992 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, PATH_TYPE);
993 RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
994 " perm_app_setup_path() failed");
998 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
999 RUNNER_ASSERT_MSG_BT(result == 0, "Line: " << line_no <<
1000 " Unable to check Smack labels for non-app dir");
1004 result = perm_app_uninstall(APP_ID);
1005 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS, "Line: " << line_no <<
1006 " Error in perm_app_uninstall." << result);
1011 RUNNER_TEST_SMACK(privilege_control18_app_setup_path_public)
1013 test_app_setup_path(__LINE__, APP_PATH_PUBLIC_RO);
1016 RUNNER_TEST_SMACK(privilege_control19_app_setup_path_settings)
1018 test_app_setup_path(__LINE__, APP_PATH_SETTINGS_RW);
1021 void check_perm_app_has_permission(const char* app_label, const char* permission, bool is_enabled_expected)
1026 result = perm_app_has_permission(app_label, APP_TYPE_WGT, permission, &is_enabled);
1027 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
1028 "Error calling perm_app_has_permission. Result: " << result);
1030 RUNNER_ASSERT_MSG_BT(is_enabled == is_enabled_expected,
1031 "Result of perm_app_has_permission should be: " << is_enabled_expected);
1034 RUNNER_TEST(privilege_control20_perm_app_has_permission)
1037 const char *other_app_label = "test_other_app_label";
1041 result = perm_app_uninstall(WGT_APP_ID);
1042 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
1043 "Error uninstalling app. Result" << result);
1045 result = perm_app_install(WGT_APP_ID);
1046 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
1047 "Error installing app. Result" << result);
1049 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R_AND_NO_R);
1050 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
1051 "Error disabling app r and no r permissions. Result: " << result);
1055 check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
1056 check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
1057 check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
1058 check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
1062 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R, false);
1063 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
1064 "Error registering app r permissions. Result: " << result);
1068 check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true);
1069 check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
1070 check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
1071 check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
1075 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R, false);
1076 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
1077 "Error registering app r permissions. Result: " << result);
1081 check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], true);
1082 check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true);
1083 check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
1084 check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
1088 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_R);
1089 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
1090 "Error disabling app r and no r permissions. Result: " << result);
1094 check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
1095 check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], true);
1096 check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
1097 check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
1101 result = perm_app_disable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS2_NO_R);
1102 RUNNER_ASSERT_MSG_BT(result == PC_OPERATION_SUCCESS,
1103 "Error disabling app r and no r permissions. Result: " << result);
1107 check_perm_app_has_permission(USER_APP_ID, PRIVS2_R[0], false);
1108 check_perm_app_has_permission(USER_APP_ID, PRIVS2_NO_R[0], false);
1109 check_perm_app_has_permission(other_app_label, PRIVS2_R[0], false);
1110 check_perm_app_has_permission(other_app_label, PRIVS2_NO_R[0], false);
1113 RUNNER_TEST(privilege_control25_test_libprivilege_strerror) {
1114 int POSITIVE_ERROR_CODE = 1;
1115 int NONEXISTING_ERROR_CODE = -239042;
1118 for (auto itr = error_codes.begin(); itr != error_codes.end(); ++itr) {
1119 RUNNER_ASSERT_MSG_BT(strcmp(perm_strerror(*itr), "Unknown error") != 0,
1120 "Returned invalid error code description.");
1123 result = perm_strerror(POSITIVE_ERROR_CODE);
1124 RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0,
1125 "Bad message returned for invalid error code: \"" << result << "\"");
1127 result = perm_strerror(NONEXISTING_ERROR_CODE);
1128 RUNNER_ASSERT_MSG_BT(strcmp(result, "Unknown error") == 0,
1129 "Bad message returned for invalid error code: \"" << result << "\"");