2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runer
33 #include <dpl/test/test_runner.h>
34 #include <dpl/test/test_runner_child.h>
35 #include <dpl/log/log.h>
36 #include <sys/types.h>
39 #include <sys/xattr.h>
40 #include <sys/smack.h>
41 #include <sys/types.h>
42 #include <sys/socket.h>
45 #include <privilege-control.h>
50 #define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
51 #define SMACK_LOAD2 "/smack/load2"
52 #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
53 #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
54 #define APPID_DIR "test_APP_ID_dir"
55 #define APPID_SHARED_DIR "test_APP_ID_shared_dir"
56 #define CANARY_LABEL "tiny_yellow_canary"
58 #define APP_ID "test_APP"
59 #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
60 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
62 #define WGT_APP_ID "QwCqJ0ttyS"
63 #define WGT_PARTNER_APP_ID "7btsV1Y0sX"
64 #define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
65 #define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
66 #define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
67 #define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
69 const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
70 const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
71 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
72 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
73 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
74 const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
76 #define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
77 #define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
78 #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
80 #define APP_TEST_APP_1 "test-application1"
81 #define APP_TEST_APP_2 "test-application_2"
82 #define APP_TEST_APP_3 "test-app-3"
83 #define APP_TEST_AV_1 "test-antivirus1"
84 #define APP_TEST_AV_2 "test-antivirus_2"
85 #define APP_TEST_AV_3 "test-av-3"
87 #define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
88 #define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
89 #define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db"
90 #define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db"
91 #define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db"
93 #define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
94 #define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
95 #define APP_TEST_AV_ASP1 "test-app-av-asp1"
96 #define APP_TEST_AV_ASP2 "test-app-av-asp2"
98 #define SOCK_PATH "/tmp/test-smack-socket"
102 #define APP_USER_NAME "app"
103 #define APP_HOME_DIR "/opt/home/app"
105 #define APP_FRIEND_1 "app_friend_1"
106 #define APP_FRIEND_2 "app_friend_2"
108 // How many open file descriptors should ftw() function use?
109 #define FTW_MAX_FDS 16
111 // Rules from test_privilege_control_rules.smack
112 const std::vector< std::vector<std::string> > rules = {
113 { APP_ID, "test_book_1", "r" },
114 { APP_ID, "test_book_2", "w" },
115 { APP_ID, "test_book_3", "x" },
116 { APP_ID, "test_book_4", "rw" },
117 { APP_ID, "test_book_5", "rx" },
118 { APP_ID, "test_book_6", "wx" },
119 { APP_ID, "test_book_7", "rwx" },
120 { "test_subject_1", APP_ID, "r" },
121 { "test_subject_2", APP_ID, "w" },
122 { "test_subject_3", APP_ID, "x" },
123 { "test_subject_4", APP_ID, "rw" },
124 { "test_subject_5", APP_ID, "rx" },
125 { "test_subject_6", APP_ID, "wx" },
126 { "test_subject_7", APP_ID, "rwx" },
127 { APP_ID, APPID_SHARED_DIR, "rwxat"}};
129 // Rules from test_privilege_control_rules2.smack
130 const std::vector< std::vector<std::string> > rules2 = {
131 { APP_ID, "test_book_8", "r" },
132 { APP_ID, "test_book_9", "w" },
133 { APP_ID, "test_book_10", "x" },
134 { APP_ID, "test_book_11", "rw" },
135 { APP_ID, "test_book_12", "rx" },
136 { APP_ID, "test_book_13", "wx" },
137 { APP_ID, "test_book_14", "rwx" },
138 { APP_ID, "test_book_15", "rwxat" },
139 { "test_subject_8", APP_ID, "r" },
140 { "test_subject_9", APP_ID, "w" },
141 { "test_subject_10", APP_ID, "x" },
142 { "test_subject_11", APP_ID, "rw" },
143 { "test_subject_12", APP_ID, "rx" },
144 { "test_subject_13", APP_ID, "wx" },
145 { "test_subject_14", APP_ID, "rwx" },
146 { "test_subject_15", APP_ID, "rwxat" }};
148 // Rules from test_privilege_control_rules_no_r.smack
149 const std::vector< std::vector<std::string> > rules2_no_r = {
150 { APP_ID, "test_book_9", "w" },
151 { APP_ID, "test_book_10", "x" },
152 { APP_ID, "test_book_11", "w" },
153 { APP_ID, "test_book_12", "x" },
154 { APP_ID, "test_book_13", "wx" },
155 { APP_ID, "test_book_14", "wx" },
156 { APP_ID, "test_book_15", "wxat" },
157 { "test_subject_9", APP_ID, "w" },
158 { "test_subject_10", APP_ID, "x" },
159 { "test_subject_11", APP_ID, "w" },
160 { "test_subject_12", APP_ID, "x" },
161 { "test_subject_13", APP_ID, "wx" },
162 { "test_subject_14", APP_ID, "wx" },
163 { "test_subject_15", APP_ID, "wxat" }};
165 // Rules from test_privilege_control_rules.smack
166 // minus test_privilege_control_rules_no_r.smack
167 const std::vector< std::vector<std::string> > rules2_r = {
168 { APP_ID, "test_book_8", "r" },
169 { APP_ID, "test_book_11", "r" },
170 { APP_ID, "test_book_12", "r" },
171 { APP_ID, "test_book_14", "r" },
172 { APP_ID, "test_book_15", "r" },
173 { "test_subject_8", APP_ID, "r" },
174 { "test_subject_11", APP_ID, "r" },
175 { "test_subject_12", APP_ID, "r" },
176 { "test_subject_14", APP_ID, "r" },
177 { "test_subject_15", APP_ID, "r" }};
179 // Rules from test_privilege_control_rules_wgt.smack for wgt
180 const std::vector< std::vector<std::string> > rules_wgt = {
181 { WGT_APP_ID, "test_book_8", "r" },
182 { WGT_APP_ID, "test_book_9", "w" },
183 { WGT_APP_ID, "test_book_10", "x" },
184 { WGT_APP_ID, "test_book_11", "rw" },
185 { WGT_APP_ID, "test_book_12", "rx" },
186 { WGT_APP_ID, "test_book_13", "wx" },
187 { WGT_APP_ID, "test_book_14", "rwx" },
188 { WGT_APP_ID, "test_book_15", "rwxat" },
189 { "test_subject_8", WGT_APP_ID, "r" },
190 { "test_subject_9", WGT_APP_ID, "w" },
191 { "test_subject_10", WGT_APP_ID, "x" },
192 { "test_subject_11", WGT_APP_ID, "rw" },
193 { "test_subject_12", WGT_APP_ID, "rx" },
194 { "test_subject_13", WGT_APP_ID, "wx" },
195 { "test_subject_14", WGT_APP_ID, "rwx" },
196 { "test_subject_15", WGT_APP_ID, "rwxat" }};
198 // Rules from test_privilege_control_rules_wgt.smack for wgt_partner
199 const std::vector< std::vector<std::string> > rules_wgt_partner = {
200 { WGT_PARTNER_APP_ID, "test_book_8", "r" },
201 { WGT_PARTNER_APP_ID, "test_book_9", "w" },
202 { WGT_PARTNER_APP_ID, "test_book_10", "x" },
203 { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
204 { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
205 { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
206 { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
207 { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
208 { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
209 { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
210 { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
211 { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
212 { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
213 { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
214 { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
215 { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }};
217 // Rules from test_privilege_control_rules_wgt.smack for wgt_platform
218 const std::vector< std::vector<std::string> > rules_wgt_platform = {
219 { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
220 { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
221 { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
222 { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
223 { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
224 { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
225 { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
226 { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
227 { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
228 { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
229 { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
230 { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
231 { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
232 { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
233 { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
234 { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }};
238 typedef std::unique_ptr<smack_accesses,std::function<void(smack_accesses*)>> SmackUniquePtr;
240 const char* OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
241 const char* WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
242 const char* OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
243 const char* OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac";
244 const char* WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac";
245 const char* OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
246 const char* BLAHBLAH_FEATURE = "http://feature/blah/blahblah";
249 * Check if every rule is true.
250 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
252 int test_have_all_accesses(const std::vector< std::vector<std::string> >& rules){
254 for(uint i =0; i<rules.size();++i ){
255 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
263 * Check if every rule is true.
264 * @return 1 if ANY rule in SMACK, 0 if
266 int test_have_any_accesses(const std::vector< std::vector<std::string> >& rules){
268 for(uint i =0; i<rules.size();++i ){
269 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
276 int nftw_remove_labels(const char *fpath, const struct stat * /*sb*/,
277 int /*typeflag*/, struct FTW * /*ftwbuf*/)
279 smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
280 smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
281 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
286 int nftw_set_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/,
287 int /*typeflag*/, struct FTW * /*ftwbuf*/)
289 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
290 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
291 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
296 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/,
297 int /*typeflag*/, struct FTW * /*ftwbuf*/)
303 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
304 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
305 result = strcmp(CANARY_LABEL, label);
306 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
309 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
310 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
311 result = strcmp(CANARY_LABEL, label);
312 RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
315 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
316 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
317 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
322 int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
323 int /*typeflag*/, struct FTW * /*ftwbuf*/)
329 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
330 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
331 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
332 result = strcmp(APPID_DIR, label);
333 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
336 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
337 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
338 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
339 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
340 result = strcmp(APPID_DIR, label);
341 RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
342 } else if(S_ISLNK(sb->st_mode)) {
344 char* target = realpath(fpath, NULL);
345 RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
347 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
348 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
350 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
351 result = strcmp(APPID_DIR, label);
352 RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
355 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
358 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
359 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
360 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
365 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
366 int /*typeflag*/, struct FTW * /*ftwbuf*/)
372 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
373 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
374 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
375 result = strcmp(APPID_SHARED_DIR, label);
376 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
378 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
379 RUNNER_ASSERT_MSG(result == 1,
380 "Error rwxat access was not given shared dir. Subject: " <<
381 APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
383 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
384 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
385 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
388 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
389 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
390 if (S_ISDIR(sb->st_mode)) {
391 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
392 result = strcmp("TRUE", label);
393 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
395 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
400 int check_labels_dir(const char *fpath, const struct stat *sb,
401 const char* labels_db_path, const char* dir_db_path,
407 char* scanf_label_format;
408 char label_temp[SMACK_LABEL_LEN + 1];
412 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
413 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
414 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
417 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
420 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
425 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
429 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
433 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
435 if (S_ISDIR(sb->st_mode)) {
439 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
441 result = strcmp("TRUE", label);
445 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
447 } else if(label != NULL){
450 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
455 if(0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)){
457 RUNNER_ASSERT_MSG(false, "asprintf failed");
460 file_db = fopen(labels_db_path, "r");
463 free(scanf_label_format);
464 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
466 while(fscanf(file_db, scanf_label_format, label_temp)==1){
467 result = smack_have_access(label_temp, label_gen, access);
471 free(scanf_label_format);
472 RUNNER_ASSERT_MSG(false,
473 "Error " << access << " access was not given for subject: "
474 << label_temp << ". Result: " << result);
479 file_db = fopen(dir_db_path, "r");
482 free(scanf_label_format);
483 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
486 while(fscanf(file_db, scanf_label_format, label_temp)==1){
487 if(strcmp(label_gen, label_temp) == 0){
492 free(scanf_label_format);
496 RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
501 int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb,
502 int /*typeflag*/, struct FTW * /*ftwbuf*/)
504 return check_labels_dir(fpath, sb,
505 SMACK_APPS_LABELS_DATABASE,
506 SMACK_PUBLIC_DIRS_DATABASE, "rx");
509 int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb,
510 int /*typeflag*/, struct FTW * /*ftwbuf*/)
512 return check_labels_dir(fpath, sb,
513 SMACK_APPS_SETTINGS_LABELS_DATABASE,
514 SMACK_SETTINGS_DIRS_DATABASE, "rwx");
517 int file_exists(const char* path)
519 FILE* file = fopen(path, "r");
527 void osp_blahblah_check(int line_no, const std::vector<std::string>& rules)
529 std::ifstream smack_file(OSP_BLAHBLAH);
530 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
532 auto it = rules.begin();
534 while(std::getline(smack_file,line)) {
535 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
536 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
540 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
545 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned>& gids)
547 std::ifstream dac_file(OSP_BLAHBLAH_DAC);
548 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC);
550 auto it = gids.begin();
552 while(std::getline(dac_file,line)) {
553 std::istringstream is(line);
556 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
557 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
561 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
566 void remove_smack_files()
569 unlink(OSP_BLAHBLAH);
570 unlink(WRT_BLAHBLAH);
571 unlink(OTHER_BLAHBLAH);
572 unlink(OSP_BLAHBLAH_DAC);
573 unlink(WRT_BLAHBLAH_DAC);
574 unlink(OTHER_BLAHBLAH_DAC);
577 int cleaning_smack_app_files (void)
579 unlink(SMACK_RULES_DIR APP_TEST_APP_1);
581 unlink(SMACK_RULES_DIR APP_TEST_APP_2);
583 unlink(SMACK_RULES_DIR APP_TEST_APP_3);
585 unlink(SMACK_RULES_DIR APP_TEST_AV_1);
587 unlink(SMACK_RULES_DIR APP_TEST_AV_2);
589 unlink(SMACK_RULES_DIR APP_TEST_AV_3);
594 int cleaning_smack_database_files (void)
599 unlink(SMACK_APPS_LABELS_DATABASE);
600 fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
606 unlink(SMACK_AVS_LABELS_DATABASE);
607 fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
612 //clean app settings database
613 unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE);
614 fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
619 //clean public dirs database
620 unlink(SMACK_PUBLIC_DIRS_DATABASE);
621 fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
626 //clean settings dirs database
627 unlink(SMACK_SETTINGS_DIRS_DATABASE);
628 fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
636 void add_lables_to_db()
640 file_db = fopen(SMACK_AVS_LABELS_DATABASE, "a");
641 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
642 << SMACK_AVS_LABELS_DATABASE << " can not be opened to apend!");
643 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
645 RUNNER_ASSERT_MSG(false, "Error writing to database file");
647 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
649 RUNNER_ASSERT_MSG(false, "Error writing to database file");
653 file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a");
654 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
655 << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!");
656 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
658 RUNNER_ASSERT_MSG(false, "Error writing to database file");
660 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
662 RUNNER_ASSERT_MSG(false, "Error writing to database file");
666 file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a");
667 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
668 << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!");
669 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
671 RUNNER_ASSERT_MSG(false, "Error writing to database file");
673 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
675 RUNNER_ASSERT_MSG(false, "Error writing to database file");
677 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
679 RUNNER_ASSERT_MSG(false, "Error writing to database file");
681 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
683 RUNNER_ASSERT_MSG(false, "Error writing to database file");
689 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
692 * Test setting labels for all files and folders in given path.
694 RUNNER_TEST(privilege_control02_app_label_dir)
698 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
699 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
701 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
702 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
704 result = app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
705 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
707 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
708 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
710 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
711 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
714 RUNNER_TEST(privilege_control03_app_label_shared_dir)
718 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
719 RUNNER_ASSERT_MSG(result != 0, "app_setup_path(APP_ID, APP_ID) didn't fail");
721 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
722 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
724 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
725 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
727 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
728 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
730 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
731 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
733 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
734 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
738 * Add permisions from test_privilege_control_rules template
740 RUNNER_TEST(privilege_control04_add_permissions)
742 int result = app_add_permissions(APP_ID, PRIVS);
743 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
744 " Error adding app permissions. Result: " << result);
746 // Check if the accesses are realy applied..
747 result = test_have_all_accesses(rules);
748 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
751 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
752 RUNNER_ASSERT_MSG(pFile != NULL,
753 "SMACK file NOT created!. Errno: " << errno);
756 fseek(pFile, 0L, SEEK_END);
757 int smack_file_length = ftell(pFile);
758 RUNNER_ASSERT_MSG(smack_file_length>0,
759 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
767 * Revoke permissions from the list. Should be executed as privileged user.
769 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
774 // Revoke permissions
775 result = app_revoke_permissions(APP_ID);
776 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
777 "Error revoking app permissions. Result: " << result);
779 result = app_revoke_permissions(WGT_APP_ID);
780 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
781 "Error revoking app permissions. Result: " << result);
782 result = app_revoke_permissions(WGT_PARTNER_APP_ID);
783 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
784 "Error revoking app permissions. Result: " << result);
785 result = app_revoke_permissions(WGT_PLATFORM_APP_ID);
786 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
787 "Error revoking app permissions. Result: " << result);
789 // Are all the permissions revoked?
790 result = test_have_any_accesses(rules);
791 RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
792 result = test_have_any_accesses(rules_wgt);
793 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
794 result = test_have_any_accesses(rules_wgt_partner);
795 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
796 result = test_have_any_accesses(rules_wgt_platform);
797 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
799 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
800 RUNNER_ASSERT_MSG(pFile != NULL,
801 "SMACK file removed!. Errno: " << errno);
803 fseek(pFile, 0L, SEEK_END);
804 int smack_file_length = ftell(pFile);
805 RUNNER_ASSERT_MSG(smack_file_length==0,
806 "SMACK file not empty.. Errno: " << errno);
810 pFile = fopen(SMACK_RULES_DIR WGT_APP_ID, "rb");
811 RUNNER_ASSERT_MSG(pFile != NULL,
812 "SMACK file removed!. Errno: " << errno);
814 fseek(pFile, 0L, SEEK_END);
815 smack_file_length = ftell(pFile);
816 RUNNER_ASSERT_MSG(smack_file_length==0,
817 "SMACK file not empty.. Errno: " << errno);
821 pFile = fopen(SMACK_RULES_DIR WGT_PARTNER_APP_ID, "rb");
822 RUNNER_ASSERT_MSG(pFile != NULL,
823 "SMACK file removed!. Errno: " << errno);
825 fseek(pFile, 0L, SEEK_END);
826 smack_file_length = ftell(pFile);
827 RUNNER_ASSERT_MSG(smack_file_length==0,
828 "SMACK file not empty.. Errno: " << errno);
832 pFile = fopen(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, "rb");
833 RUNNER_ASSERT_MSG(pFile != NULL,
834 "SMACK file removed!. Errno: " << errno);
836 fseek(pFile, 0L, SEEK_END);
837 smack_file_length = ftell(pFile);
838 RUNNER_ASSERT_MSG(smack_file_length==0,
839 "SMACK file not empty.. Errno: " << errno);
844 static void read_gids(std::set<unsigned> &set, const char* file_path)
846 FILE *f = fopen(file_path, "r");
847 RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
849 while (fscanf(f, "%u\n", &gid) == 1) {
854 RUNNER_TEST(privilege_control05_add_shared_dir_readers)
857 #define TEST_OBJ "TEST_OBJECT"
858 #define TEST_OBJ_SOME_OTHER "TEST_OBJA"
859 #define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----"
860 #define test_string_21 "TEST_trzy TEST_OBJA -wx--\n"
861 #define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n"
868 const char *app_labels_wrong[] = {"-TEST_raz", NULL};
869 const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
870 const int READ_BUF_SIZE = 1000;
871 char buf[READ_BUF_SIZE];
873 struct smack_accesses * rules = NULL;
875 //test what happens when the label is not correct SMACK label
876 result = smack_accesses_new(&rules);
877 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
879 result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
880 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here");
882 result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
883 RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here");
885 smack_accesses_free(rules);
887 //ok, now the correct list of apps
888 result = smack_accesses_new(&rules);
889 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
891 for (i = 0; i < 3; i++) {
893 (void)app_uninstall(app_labels[i]);
894 result = app_install(app_labels[i]);
895 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install.");
897 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i]));
898 fd = open(path, O_WRONLY, 0644);
899 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
902 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
903 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
906 smack_accesses_free(rules);
907 result = smack_accesses_new(&rules);
908 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
909 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
911 result = smack_accesses_apply(rules);
912 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
914 result = smack_accesses_save(rules, fd);
915 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
922 smack_accesses_free(rules);
924 // THE TEST - accesses
926 result = add_shared_dir_readers(TEST_OBJ,app_labels);
927 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed");
929 result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
930 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
932 result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
933 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
935 result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
936 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
938 result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
939 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
941 result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
942 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
945 //TEST the operations on empty files
947 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0]));
948 file = fopen(path, "r");
950 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
952 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
953 result = strcmp(buf, test_string_01);
954 RUNNER_ASSERT_MSG( result!=0, "add_shared_dir_readers ERROR, file not formatted" << path );
959 //TEST the operations on non empty files
960 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2]));
962 file = fopen(path, "r");
963 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
965 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
966 result = strcmp(buf, test_string_21);
967 RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
969 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
970 result = strcmp(buf, test_string_22);
971 RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
979 * Set APP privileges.
981 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege)
986 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
987 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
990 * TODO This test should also verify set_app_privilege behavior for OSP and
991 * WRT apps. To do that we'll have to install real apps on device as a
995 // Set APP privileges
996 result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
997 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
999 // Check if SMACK label really set
1001 result = smack_new_label_from_self(&label);
1002 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1003 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1004 result = strcmp(APP_ID, label);
1005 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1007 // Check if DAC privileges really set
1008 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
1009 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
1011 result = strcmp(getenv("HOME"), APP_HOME_DIR);
1012 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR");
1014 result = strcmp(getenv("USER"), APP_USER_NAME);
1015 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
1017 std::set<unsigned> groups_check;
1018 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
1019 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE);
1021 int groups_cnt = getgroups(0, NULL);
1022 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
1023 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
1024 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
1025 RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
1027 for (int i = 0; i < groups_cnt; ++i) {
1028 if (groups_check.erase(groups_list[i]) == 0) {
1029 // getgroups() may also return process' main group
1030 if (groups_list[i] != getgid())
1031 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
1034 std::string groups_left;
1035 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
1036 groups_left.append(std::to_string(*it)).append(" ");
1038 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
1042 * Set APP privileges. wgt.
1044 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt)
1048 result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
1049 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1050 " Error enabling app permissions. Result: " << result);
1052 result = test_have_all_accesses(rules_wgt);
1053 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1055 result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
1056 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1058 // Check if SMACK label really set
1060 result = smack_new_label_from_self(&label);
1061 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1062 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1063 result = strcmp(WGT_APP_ID, label);
1064 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1066 std::set<unsigned> groups_check;
1067 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
1068 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1070 int groups_cnt = getgroups(0, NULL);
1071 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
1072 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
1073 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
1074 getgroups(groups_cnt, groups_list);
1076 for (int i = 0; i < groups_cnt; ++i) {
1077 if (groups_check.erase(groups_list[i]) == 0) {
1078 // getgroups() may also return process' main group
1079 if (groups_list[i] != getgid())
1080 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
1083 std::string groups_left;
1084 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
1085 groups_left.append(std::to_string(*it)).append(" ");
1087 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
1091 * Set APP privileges. wgt_partner.
1093 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner)
1097 result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
1098 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1099 " Error enabling app permissions. Result: " << result);
1101 result = test_have_all_accesses(rules_wgt_partner);
1102 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1104 result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
1105 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1107 // Check if SMACK label really set
1109 result = smack_new_label_from_self(&label);
1110 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1111 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1112 result = strcmp(WGT_PARTNER_APP_ID, label);
1113 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1115 std::set<unsigned> groups_check;
1116 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
1117 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1119 int groups_cnt = getgroups(0, NULL);
1120 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
1121 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
1122 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
1123 getgroups(groups_cnt, groups_list);
1125 for (int i = 0; i < groups_cnt; ++i) {
1126 if (groups_check.erase(groups_list[i]) == 0) {
1127 // getgroups() may also return process' main group
1128 if (groups_list[i] != getgid())
1129 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
1132 std::string groups_left;
1133 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
1134 groups_left.append(std::to_string(*it)).append(" ");
1136 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
1140 * Set APP privileges. wgt_platform.
1142 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform)
1146 result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
1147 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1148 " Error enabling app permissions. Result: " << result);
1150 result = test_have_all_accesses(rules_wgt_platform);
1151 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1153 result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
1154 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
1156 // Check if SMACK label really set
1158 result = smack_new_label_from_self(&label);
1159 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1160 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1161 result = strcmp(WGT_PLATFORM_APP_ID, label);
1162 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1164 std::set<unsigned> groups_check;
1165 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
1166 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1168 int groups_cnt = getgroups(0, NULL);
1169 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
1170 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
1171 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
1172 getgroups(groups_cnt, groups_list);
1174 for (int i = 0; i < groups_cnt; ++i) {
1175 if (groups_check.erase(groups_list[i]) == 0) {
1176 // getgroups() may also return process' main group
1177 if (groups_list[i] != getgid())
1178 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
1181 std::string groups_left;
1182 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
1183 groups_left.append(std::to_string(*it)).append(" ");
1185 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
1188 RUNNER_TEST(privilege_control08_app_give_access)
1190 const char *subject = "lkjq345v34sfa";
1191 const char *object = "lk9290f92lkjz";
1192 smack_accesses *tmp = NULL;
1194 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
1196 SmackUniquePtr smack(tmp, smack_accesses_free);
1198 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-"));
1199 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1201 app_give_access(subject, object, "wt");
1203 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat"));
1204 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1206 app_revoke_access(subject, object);
1208 RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra"));
1209 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
1210 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1211 RUNNER_ASSERT(0 == smack_have_access(subject, object, "t"));
1213 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-"));
1214 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1217 RUNNER_TEST(privilege_control09_app_give_access)
1219 const char *subject = "ljk132flkjv";
1220 const char *object = "jjsiqsc32vs";
1221 smack_accesses *tmp = NULL;
1223 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
1225 SmackUniquePtr smack(tmp, smack_accesses_free);
1227 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-"));
1228 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1230 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw"));
1231 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx"));
1233 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt"));
1234 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
1236 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object));
1238 RUNNER_ASSERT(1 == smack_have_access(subject, object, "t"));
1239 RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));
1240 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
1241 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1242 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
1244 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----"));
1245 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1249 * Add new API feature
1251 RUNNER_TEST(privilege_control11_add_api_feature)
1255 remove_smack_files();
1258 // argument validation
1259 result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
1260 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1262 result = add_api_feature(APP_TYPE_OSP,"" , NULL, NULL, 0);
1263 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1266 // already existing features
1267 result = add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read" , NULL, NULL, 0);
1268 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1270 result = add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms" , NULL, NULL, 0);
1271 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1273 result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging" , NULL, NULL, 0);
1274 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1276 result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging" , NULL, NULL, 0);
1277 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1279 result = add_api_feature(APP_TYPE_OTHER,"http://messaging" , NULL, NULL, 0);
1280 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1282 result = add_api_feature(APP_TYPE_OTHER,"messaging.read" , NULL, NULL, 0);
1283 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1287 result = add_api_feature(APP_TYPE_OSP,"blahblah" , NULL, NULL, 0);
1288 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1290 result = add_api_feature(APP_TYPE_WGT,"blahblah" , NULL, NULL, 0);
1291 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1293 result = add_api_feature(APP_TYPE_OTHER,"blahblah" , NULL, NULL, 0);
1294 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1297 // smack files existence
1298 result = file_exists(OSP_BLAHBLAH);
1299 RUNNER_ASSERT(result == -1);
1301 result = file_exists(WRT_BLAHBLAH);
1302 RUNNER_ASSERT(result == -1);
1304 result = file_exists(OTHER_BLAHBLAH);
1305 RUNNER_ASSERT(result == -1);
1309 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , { NULL }, NULL, 0);
1310 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1311 result = file_exists(OSP_BLAHBLAH);
1312 RUNNER_ASSERT(result == -1);
1314 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "", NULL }, NULL, 0);
1315 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1316 result = file_exists(OSP_BLAHBLAH);
1317 RUNNER_ASSERT(result == 0);
1318 remove_smack_files();
1320 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
1321 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1322 result = file_exists(OSP_BLAHBLAH);
1323 RUNNER_ASSERT(result == 0);
1324 remove_smack_files();
1328 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed", NULL }, NULL, 0);
1329 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1330 result = file_exists(OSP_BLAHBLAH);
1331 RUNNER_ASSERT(result == -1);
1333 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed", NULL }, NULL, 0);
1334 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1335 result = file_exists(OSP_BLAHBLAH);
1336 RUNNER_ASSERT(result == -1);
1338 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "-malformed malformed rwxat", NULL }, NULL, 0);
1339 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1340 result = file_exists(OSP_BLAHBLAH);
1341 RUNNER_ASSERT(result == -1);
1343 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "~/\"\\ malformed rwxat", NULL }, NULL, 0);
1344 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1345 result = file_exists(OSP_BLAHBLAH);
1346 RUNNER_ASSERT(result == -1);
1348 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object rwxat something else", NULL }, NULL, 0);
1349 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1350 result = file_exists(OSP_BLAHBLAH);
1351 RUNNER_ASSERT(result == -1);
1355 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed maaaaaalformed", NULL }, NULL, 0);
1356 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1357 osp_blahblah_check(__LINE__, { "malformed malformed r--a-" });
1358 remove_smack_files();
1360 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object foo", NULL }, NULL, 0);
1361 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1362 osp_blahblah_check(__LINE__, { "subject object -----" });
1363 remove_smack_files();
1365 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1366 "subject object\t rwxat",
1368 "subject2\tobject2 txarw",
1371 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1372 osp_blahblah_check(__LINE__, { "subject object rwxat", "subject2 object2 rwxat"});
1373 remove_smack_files();
1375 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1376 "Sub::jE,ct object a-RwX",
1378 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1379 osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa-"});
1380 remove_smack_files();
1382 // TODO For now identical/complementary rules are not merged.
1383 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1384 "subject object rwxat",
1386 "subject object txarw",
1389 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1390 osp_blahblah_check(__LINE__, { "subject object rwxat", "subject object rwxat"});
1391 remove_smack_files();
1395 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},0);
1396 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1397 osp_blahblah_check(__LINE__, { "a a ---a-"});
1398 result = file_exists(OSP_BLAHBLAH_DAC);
1399 RUNNER_ASSERT(result == -1);
1400 remove_smack_files();
1404 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},3);
1405 printf("%d \n", result);
1406 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1407 osp_blahblah_check(__LINE__, { "a a ---a-"});
1408 osp_blahblah_dac_check(__LINE__, {0,1,2});
1409 remove_smack_files();
1411 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},1);
1412 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1413 osp_blahblah_check(__LINE__, { "a a ---a-"});
1414 osp_blahblah_dac_check(__LINE__, {0});
1415 remove_smack_files();
1417 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){1,1,1},3);
1418 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1419 osp_blahblah_check(__LINE__, { "a a ---a-"});
1420 osp_blahblah_dac_check(__LINE__, {1,1,1});
1421 remove_smack_files();
1425 * Check app_install function
1427 RUNNER_TEST(privilege_control01_app_install)
1433 unlink(SMACK_RULES_DIR APP_ID);
1435 app_uninstall(APP_ID);
1437 result = app_install(APP_ID);
1438 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1440 // checking if file really exists
1441 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1442 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << path << " : " << result << ". Errno: " << strerror(errno));
1446 // try install second time app with the same ID - it should pass.
1447 result = app_install(APP_ID);
1448 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1452 * Check app_install function
1454 RUNNER_TEST(privilege_control07_app_uninstall)
1460 result = app_uninstall(APP_ID);
1461 RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result <<". Errno: " << strerror(errno));
1463 // checking if file really exists
1464 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1465 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall");
1470 void checkOnlyAvAccess(const char* av_id, const char* app_id, const char* comment){
1472 result = smack_have_access(av_id, app_id, "rwx");
1473 RUNNER_ASSERT_MSG(result == 1,
1474 "Error while checking " << av_id << " rwx access to "
1475 << app_id << " " << comment << " Result: " << result);
1476 result = smack_have_access(av_id, app_id, "a");
1477 RUNNER_ASSERT_MSG(result == 0,
1478 "Error while checking " << av_id << " a access to "
1479 << app_id << " " << comment << " Result: " << result);
1480 result = smack_have_access(av_id, app_id, "t");
1481 RUNNER_ASSERT_MSG(result == 0,
1482 "Error while checking " << av_id << " t access to "
1483 << app_id << " " << comment << " Result: " << result);
1487 * Check app_register_av function
1488 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
1490 RUNNER_TEST(privilege_control10_app_register_av)
1495 smack_revoke_subject(APP_TEST_AV_1);
1496 smack_revoke_subject(APP_TEST_AV_2);
1498 cleaning_smack_app_files();
1499 cleaning_smack_database_files();
1501 // Adding two apps before antivir
1502 result = app_install(APP_TEST_APP_1);
1503 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1505 result = app_install(APP_TEST_APP_2);
1506 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1509 result = app_register_av(APP_TEST_AV_1);
1510 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
1512 // Checking added apps accesses
1513 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
1514 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
1517 result = app_install(APP_TEST_APP_3);
1518 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1520 // Checking app accesses
1521 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)");
1522 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)");
1523 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)");
1525 // Adding second antivir
1526 result = app_register_av(APP_TEST_AV_2);
1527 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
1529 // Checking app accesses
1530 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1531 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1532 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1533 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1534 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1535 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1538 smack_revoke_subject(APP_TEST_AV_1);
1539 smack_revoke_subject(APP_TEST_AV_2);
1541 cleaning_smack_app_files();
1542 cleaning_smack_database_files();
1546 * Grant SMACK permissions based on permissions list.
1548 RUNNER_TEST(privilege_control11_app_enable_permissions)
1551 int smack_file_length;
1555 * Test - Enabling all permissions with persistant mode enabled
1558 result = app_revoke_permissions(APP_ID);
1559 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1560 "Error revoking app permissions. Result: " << result);
1562 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1563 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1564 " Error enabling app permissions. Result: " << result);
1566 // Check if the accesses are realy applied..
1567 result = test_have_all_accesses(rules2);
1568 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1571 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1572 RUNNER_ASSERT_MSG(pFile != NULL,
1573 "SMACK file NOT created!. Errno: " << errno);
1576 fseek(pFile, 0L, SEEK_END);
1577 smack_file_length = ftell(pFile);
1578 RUNNER_ASSERT_MSG(smack_file_length>0,
1579 "SMACK file empty with persistant mode 1. Errno: " << errno);
1585 result = app_revoke_permissions(APP_ID);
1586 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1587 "Error revoking app permissions. Result: " << result);
1590 * Test - Enabling all permissions with persistant mode disabled
1593 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
1594 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1595 " Error enabling app permissions. Result: " << result);
1597 // Check if the accesses are realy applied..
1598 result = test_have_all_accesses(rules2);
1599 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1602 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1603 RUNNER_ASSERT_MSG(pFile != NULL,
1604 "SMACK file NOT created!. Errno: " << errno);
1607 fseek(pFile, 0L, SEEK_END);
1608 smack_file_length = ftell(pFile);
1609 RUNNER_ASSERT_MSG(smack_file_length==0,
1610 "SMACK file not empty with persistant mode 0. Errno: " << errno);
1616 result = app_revoke_permissions(APP_ID);
1617 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1618 "Error revoking app permissions. Result: " << result);
1621 * Test - Enabling all permissions in two complementary files
1624 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
1625 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1626 " Error enabling app permissions. Result: " << result);
1628 // Check if the accesses are realy applied..
1629 result = test_have_all_accesses(rules2);
1630 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1633 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1634 RUNNER_ASSERT_MSG(pFile != NULL,
1635 "SMACK file NOT created!. Errno: " << errno);
1638 fseek(pFile, 0L, SEEK_END);
1639 smack_file_length = ftell(pFile);
1640 RUNNER_ASSERT_MSG(smack_file_length>0,
1641 "SMACK file empty with persistant mode 1. Errno: " << errno);
1647 result = app_revoke_permissions(APP_ID);
1648 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1649 "Error revoking app permissions. Result: " << result);
1652 * Test - Enabling some permissions and then enabling complementary permissions
1655 // Enable permission for rules 2 no r
1656 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1657 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1658 " Error enabling app permissions without r. Result: " << result);
1660 // Check if the accesses are realy applied..
1661 result = test_have_all_accesses(rules2_no_r);
1662 RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
1665 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1666 RUNNER_ASSERT_MSG(pFile != NULL,
1667 "SMACK file NOT created!. Errno: " << errno);
1670 fseek(pFile, 0L, SEEK_END);
1671 smack_file_length = ftell(pFile);
1672 RUNNER_ASSERT_MSG(smack_file_length>0,
1673 "SMACK file empty with persistant mode 1. Errno: " << errno);
1678 // Enable permission for rules 2
1679 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1680 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1681 " Error enabling app all permissions. Result: " << result);
1683 // Check if the accesses are realy applied..
1684 result = test_have_all_accesses(rules2);
1685 RUNNER_ASSERT_MSG(result==1, "Permissions all not added.");
1688 result = app_revoke_permissions(APP_ID);
1689 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1690 "Error revoking app permissions. Result: " << result);
1693 * Test - Enabling some permissions and then enabling all permissions
1696 // Enable permission for rules 2 no r
1697 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1698 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1699 " Error enabling app permissions without r. Result: " << result);
1701 // Check if the accesses are realy applied..
1702 result = test_have_all_accesses(rules2_no_r);
1703 RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
1706 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1707 RUNNER_ASSERT_MSG(pFile != NULL,
1708 "SMACK file NOT created!. Errno: " << errno);
1711 fseek(pFile, 0L, SEEK_END);
1712 smack_file_length = ftell(pFile);
1713 RUNNER_ASSERT_MSG(smack_file_length>0,
1714 "SMACK file empty with persistant mode 1. Errno: " << errno);
1719 // Enable permission for rules 2
1720 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
1721 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1722 " Error enabling app permissions with only r. Result: " << result);
1724 // Check if the accesses are realy applied..
1725 result = test_have_all_accesses(rules2);
1726 RUNNER_ASSERT_MSG(result==1, "Permissions with only r not added.");
1729 result = app_revoke_permissions(APP_ID);
1730 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1731 "Error revoking app permissions. Result: " << result);
1735 * Remove previously granted SMACK permissions based on permissions list.
1737 RUNNER_TEST(privilege_control12_app_disable_permissions)
1741 * Test - disable all granted permissions.
1745 // Prepare permissions that we want to disable
1746 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1747 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1748 " Error enabling app permissions. Result: " << result);
1750 // Disable permissions
1751 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1752 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1753 "Error disabling app permissions. Result: " << result);
1755 // Are all the permissions disabled?
1756 result = test_have_any_accesses(rules2);
1757 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1760 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1763 // Prepare permissions that will not be disabled
1764 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
1765 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1766 " Error adding app first permissions. Result: " << result);
1768 // Prepare permissions that we want to disable
1769 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1770 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1771 " Error adding app second permissions. Result: " << result);
1773 // Disable second permissions
1774 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1775 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1776 "Error disabling app second permissions. Result: " << result);
1778 // Are all second permissions disabled?
1779 result = test_have_any_accesses(rules2);
1780 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1782 // Are all first permissions not disabled?
1783 result = test_have_all_accesses(rules);
1784 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1786 // Disable first permissions
1787 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
1788 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1789 "Error disabling app first permissions. Result: " << result);
1791 // Are all second permissions disabled?
1792 result = test_have_any_accesses(rules);
1793 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1796 * Test - disable only no r granted permissions.
1799 // Prepare permissions
1800 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1801 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1802 " Error adding app permissions. Result: " << result);
1804 // Disable same permissions without r
1805 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
1806 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1807 "Error disabling app no r permissions. Result: " << result);
1809 // Is any r permissions disabled?
1810 result = test_have_all_accesses(rules2_r);
1811 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1812 // Are all no r permissions disabled?
1813 result = test_have_any_accesses(rules2_no_r);
1814 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1816 // Prepare permissions
1817 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1818 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1819 " Error adding app no r permissions. Result: " << result);
1821 // Disable all permissions
1822 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1823 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1824 "Error disabling app permissions. Result: " << result);
1828 * Reset SMACK permissions for an application by revoking all previously
1829 * granted rules and enabling them again from a rules file from disk.
1832 RUNNER_TEST(privilege_control13_app_reset_permissions)
1838 * Test - doing reset and checking if rules exist again.
1841 // Prepare permissions to reset
1842 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1843 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1844 " Error adding app permissions. Result: " << result);
1846 // Reset permissions
1847 result = app_reset_permissions(APP_ID);
1848 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1849 "Error reseting app permissions. Result: " << result);
1851 // Are all second permissions not disabled?
1852 result = test_have_all_accesses(rules2);
1853 RUNNER_ASSERT_MSG(result==1, "Not all permissions added.");
1855 // Disable permissions
1856 result = app_revoke_permissions(APP_ID);
1857 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1858 "Error disabling app permissions. Result: " << result);
1863 * Make two applications "friends", by giving them both full permissions on
1866 RUNNER_TEST(privilege_control14_app_add_friend)
1871 * Test - making friends with no permissions on each other
1874 result = app_revoke_permissions(APP_FRIEND_1);
1875 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1876 "Error revoking app permissions. Result: " << result);
1877 result = app_revoke_permissions(APP_FRIEND_2);
1878 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1879 "Error revoking app permissions. Result: " << result);
1881 app_uninstall(APP_FRIEND_1);
1882 app_uninstall(APP_FRIEND_2);
1884 // Installing friends to be
1885 result = app_install(APP_FRIEND_1);
1886 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1887 " Error installing first app. Result: " << result);
1888 result = app_install(APP_FRIEND_2);
1889 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1890 " Error installing second app. Result: " << result);
1893 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1894 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1895 " Error making friends. Errno: " << result);
1897 // Checking if friends were made
1898 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1899 RUNNER_ASSERT_MSG(result == 1,
1900 " Error first one sided friednship failed. Result: " << result);
1901 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1902 RUNNER_ASSERT_MSG(result == 1,
1903 " Error second one sided friednship failed. Result: " << result);
1906 result = app_revoke_permissions(APP_FRIEND_1);
1907 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1908 "Error revoking app permissions. Result: " << result);
1909 result = app_revoke_permissions(APP_FRIEND_2);
1910 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1911 "Error revoking app permissions. Result: " << result);
1913 app_uninstall(APP_FRIEND_1);
1914 app_uninstall(APP_FRIEND_2);
1917 * Test - making friends with nonexisting friend
1920 // Installing one friend
1921 result = app_install(APP_FRIEND_1);
1922 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1923 " Error installing first app. Errno: " << result);
1925 // Adding imaginairy friend as second
1926 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1927 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1928 " Error making friends (first) with imaginairy friend failed. Result: "
1930 // Adding imaginairy friend as first
1931 result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
1932 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1933 " Error making friends (second) with imaginairy friend failed. Result: "
1936 result = app_revoke_permissions(APP_FRIEND_1);
1937 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1938 "Error revoking app permissions. Result: " << result);
1939 result = app_revoke_permissions(APP_FRIEND_2);
1940 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1941 "Error revoking app permissions. Result: " << result);
1943 app_uninstall(APP_FRIEND_1);
1944 app_uninstall(APP_FRIEND_2);
1947 * Test - making friends with some permissions already added
1952 struct smack_accesses * rulesFriend = NULL;
1954 std::vector<std::string> accessesFriend =
1955 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
1957 // Installing friends to be
1958 result = app_install(APP_FRIEND_1);
1959 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1960 " Error installing first app. Result: " << result);
1961 result = app_install(APP_FRIEND_2);
1962 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1963 " Error installing second app. Result: " << result);
1965 for(i = 0; i<accessesFriend.size(); ++i)
1967 for(j = 0; j<accessesFriend.size(); ++j)
1970 // Adding rules before making friends
1971 result = smack_accesses_new(&rulesFriend);
1972 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1973 "Error in smack_accesses_new. Result: " << result);
1975 result = smack_accesses_add(rulesFriend,
1976 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
1977 RUNNER_ASSERT_MSG(result == 0,
1978 "Unable to add modify rulesFirend (first). Result: " << result);
1979 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
1980 APP_FRIEND_1, accessesFriend[j].c_str());
1981 RUNNER_ASSERT_MSG(result == 0,
1982 "Unable to add modify rulesFirend (second). Result: " << result);
1984 result = smack_accesses_apply(rulesFriend);
1985 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1986 "Error in smack_accesses_apply. Result: " << result);
1989 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1990 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1991 " Error making friends. Result: " << result);
1993 // Checking if friends were made
1994 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1995 RUNNER_ASSERT_MSG(result == 1,
1996 " Error first one sided friednship failed. Result: " << result);
1997 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1998 RUNNER_ASSERT_MSG(result == 1,
1999 " Error second one sided friednship failed. Result: " << result);
2001 // Deleting all rules between friends
2002 smack_accesses_add_modify(rulesFriend,
2003 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
2004 smack_accesses_add_modify(rulesFriend,
2005 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
2007 result = smack_accesses_apply(rulesFriend);
2009 smack_accesses_free(rulesFriend);
2016 result = app_revoke_permissions(APP_FRIEND_1);
2017 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2018 "Error revoking app permissions. Result: " << result);
2019 result = app_revoke_permissions(APP_FRIEND_2);
2020 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2021 "Error revoking app permissions. Result: " << result);
2023 app_uninstall(APP_FRIEND_1);
2024 app_uninstall(APP_FRIEND_2);
2027 static void smack_set_random_label_based_on_pid_on_self(void)
2030 std::stringstream ss;
2032 ss << "s-" << getpid() << "-" << getppid();
2033 result = smack_set_label_for_self(ss.str().c_str());
2034 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
2035 << ss.str().c_str() << ") failed");
2038 static void smack_unix_sock_server(int sock)
2044 fd = accept(sock, NULL, NULL);
2048 result = smack_new_label_from_self(&smack_label);
2053 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
2055 result = write(fd, smack_label, strlen(smack_label));
2056 if(result != (int)strlen(smack_label)){
2060 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
2066 RUNNER_TEST(privilege_control15_app_id_from_socket)
2069 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
2073 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2075 smack_set_random_label_based_on_pid_on_self();
2077 if (!pid) { /* child process, server */
2080 /* Set the process label before creating a socket */
2081 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2082 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
2084 (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
2087 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
2089 result = listen(sock, 1);
2092 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
2094 smack_unix_sock_server(sock);
2096 /* Change the process label with listening socket */
2097 smack_unix_sock_server(sock);
2100 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2101 /* Now running two concurrent servers.
2102 Test if socket label was unaffected by fork() */
2103 smack_unix_sock_server(sock);
2104 /* Let's give the two servers different labels */
2105 smack_unix_sock_server(sock);
2107 waitpid(pid, NULL, 0);
2109 } else { /* parent process, client */
2110 sleep(1); /* Give server some time to setup listening socket */
2112 for (i = 0; i < 4; ++i) {
2115 char smack_label1[SMACK_LABEL_LEN + 1];
2118 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2119 RUNNER_ASSERT_MSG(sock >= 0,
2120 "socket failed: " << strerror(errno));
2121 result = connect(sock,
2122 (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
2125 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
2129 result = read(sock, smack_label1, SMACK_LABEL_LEN);
2133 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
2135 smack_label1[result] = '\0';
2136 smack_label2 = app_id_from_socket(sock);
2137 if(smack_label2 == NULL){
2139 RUNNER_ASSERT_MSG(0, "app_id_from_socket failed");
2141 result = strcmp(smack_label1, smack_label2);
2144 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
2145 << "' != '" << smack_label2 << "-" << random() << "'");
2149 waitpid(pid, NULL, 0);
2153 RUNNER_TEST(privilege_control16_app_setup_path){
2154 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
2155 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
2156 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
2157 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
2158 const char *label1 = "qwert123456za";
2159 const char *label2 = "trewq654123az";
2161 std::unique_ptr<char, std::function<void(void*)>> labelPtr(NULL,free);
2166 int fd = creat(path3, S_IRWXU);
2169 fd = creat(path4, S_IRWXU);
2175 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
2176 RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
2177 labelPtr.reset(label);
2179 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
2181 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
2182 RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
2183 labelPtr.reset(label);
2185 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
2187 RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
2188 labelPtr.reset(label);
2190 RUNNER_ASSERT(labelPtr.get() == NULL);
2193 RUNNER_TEST(privilege_control17_appsettings_privilege)
2195 #define APP_1 "app_1"
2196 #define APP_1_DIR "/tmp/app_1"
2198 #define APP_2 "app_2"
2199 #define APP_2_DIR "/tmp/app_2"
2201 #define APP_TEST "app_test"
2203 #define PRIV_APPSETTING (const char*[]){"http://tizen.org/privilege/appsetting", NULL}
2206 char* app1_dir_label;
2207 char* app2_dir_label;
2211 (void)app_uninstall(APP_TEST);
2212 (void)app_uninstall(APP_1);
2213 (void)app_uninstall(APP_2);
2215 //install some app 1
2216 ret = app_install(APP_1);
2217 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install." << ret);
2219 mkdir(APP_1_DIR, S_IRWXU|S_IRGRP|S_IXGRP);
2221 //register settings folder for app 1
2222 ret = app_setup_path(APP_1, APP_1_DIR , APP_PATH_SETTINGS_RW );
2223 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret);
2225 //install "app_test" and give it appsettings privilege
2226 ret = app_install(APP_TEST);
2227 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install.");
2230 ret = app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
2232 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
2233 " Error enabling app permissions. Result: " << ret);
2235 //check if "app_test" has an RX access to the app "app_1"
2236 ret = smack_have_access(APP_TEST, APP_1, "rx");
2237 RUNNER_ASSERT_MSG(ret,"access denies");
2240 //check if "app_test" has an RWX access to a folder registered by "app_1"
2241 ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
2242 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2243 ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
2244 RUNNER_ASSERT_MSG(ret,"access denies");
2247 //intstall another app: "app_2"
2248 ret = app_install(APP_2);
2249 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_install.");
2251 mkdir(APP_2_DIR, S_IRWXU|S_IRGRP|S_IXGRP);
2252 //register settings folder for that "app_2"
2253 ret = app_setup_path(APP_2, APP_2_DIR , APP_PATH_SETTINGS_RW );
2254 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in app_setup_path: " << ret);
2256 //check if "app_test" has an RX access to the app "app_2"
2257 ret = smack_have_access(APP_TEST, APP_2, "rx");
2258 RUNNER_ASSERT_MSG(ret,"access denies");
2260 //check if "app_test" has an RWX access to a folder registered by "app_2"
2261 ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
2262 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2263 ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
2264 RUNNER_ASSERT_MSG(ret,"access denies");
2266 free (app1_dir_label);
2267 free (app2_dir_label);
2271 (void)app_uninstall(APP_TEST);
2272 (void)app_uninstall(APP_1);
2273 (void)app_uninstall(APP_2);
2278 RUNNER_TEST(privilege_control18_app_setup_path_public)
2282 cleaning_smack_database_files();
2285 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2286 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2288 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2289 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2291 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
2292 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
2294 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
2295 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2297 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2298 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2300 cleaning_smack_database_files();
2303 RUNNER_TEST(privilege_control19_app_setup_path_settings)
2307 cleaning_smack_database_files();
2310 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2311 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2313 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2314 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2316 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
2317 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
2319 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS);
2320 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2322 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2323 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2325 cleaning_smack_database_files();