2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runer
33 #include <dpl/test/test_runner.h>
34 #include <dpl/test/test_runner_child.h>
35 #include <dpl/log/log.h>
36 #include <sys/types.h>
39 #include <sys/xattr.h>
40 #include <sys/smack.h>
41 #include <sys/types.h>
42 #include <sys/socket.h>
45 #include <privilege-control.h>
49 #define SMACK_RULES_DIR "/etc/smack/accesses.d/"
50 #define SMACK_LOAD2 "/smack/load2"
51 #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
52 #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
53 #define APPID_DIR "test_APP_ID_dir"
54 #define APPID_SHARED_DIR "test_APP_ID_shared_dir"
55 #define CANARY_LABEL "tiny_yellow_canary"
57 #define APP_ID "test_APP"
58 #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
59 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
61 const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
62 const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
63 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
64 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
65 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
68 #define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
69 #define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
70 #define APP_TEST_APP_1 "test-application1"
71 #define APP_TEST_APP_2 "test-application_2"
72 #define APP_TEST_APP_3 "test-app-3"
73 #define APP_TEST_AV_1 "test-antivirus1"
74 #define APP_TEST_AV_2 "test-antivirus_2"
75 #define APP_TEST_AV_3 "test-av-3"
76 #define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
77 #define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
79 #define SOCK_PATH "/tmp/test-smack-socket"
83 #define APP_USER_NAME "app"
84 #define APP_HOME_DIR "/opt/home/app"
86 #define APP_FRIEND_1 "app_friend_1"
87 #define APP_FRIEND_2 "app_friend_2"
89 // How many open file descriptors should ftw() function use?
90 #define FTW_MAX_FDS 16
92 // Rules from test_privilege_control_rules.smack
93 const std::vector< std::vector<std::string> > rules = {
94 { APP_ID, "test_book_1", "r" },
95 { APP_ID, "test_book_2", "w" },
96 { APP_ID, "test_book_3", "x" },
97 { APP_ID, "test_book_4", "rw" },
98 { APP_ID, "test_book_5", "rx" },
99 { APP_ID, "test_book_6", "wx" },
100 { APP_ID, "test_book_7", "rwx" },
101 { "test_subject_1", APP_ID, "r" },
102 { "test_subject_2", APP_ID, "w" },
103 { "test_subject_3", APP_ID, "x" },
104 { "test_subject_4", APP_ID, "rw" },
105 { "test_subject_5", APP_ID, "rx" },
106 { "test_subject_6", APP_ID, "wx" },
107 { "test_subject_7", APP_ID, "rwx" },
108 { APP_ID, APPID_SHARED_DIR, "rwxat"}};
110 // Rules from test_privilege_control_rules2.smack
111 const std::vector< std::vector<std::string> > rules2 = {
112 { APP_ID, "test_book_8", "r" },
113 { APP_ID, "test_book_9", "w" },
114 { APP_ID, "test_book_10", "x" },
115 { APP_ID, "test_book_11", "rw" },
116 { APP_ID, "test_book_12", "rx" },
117 { APP_ID, "test_book_13", "wx" },
118 { APP_ID, "test_book_14", "rwx" },
119 { APP_ID, "test_book_15", "rwxat" },
120 { "test_subject_8", APP_ID, "r" },
121 { "test_subject_9", APP_ID, "w" },
122 { "test_subject_10", APP_ID, "x" },
123 { "test_subject_11", APP_ID, "rw" },
124 { "test_subject_12", APP_ID, "rx" },
125 { "test_subject_13", APP_ID, "wx" },
126 { "test_subject_14", APP_ID, "rwx" },
127 { "test_subject_15", APP_ID, "rwxat" }};
129 // Rules from test_privilege_control_rules_no_r.smack
130 const std::vector< std::vector<std::string> > rules2_no_r = {
131 { APP_ID, "test_book_9", "w" },
132 { APP_ID, "test_book_10", "x" },
133 { APP_ID, "test_book_11", "w" },
134 { APP_ID, "test_book_12", "x" },
135 { APP_ID, "test_book_13", "wx" },
136 { APP_ID, "test_book_14", "wx" },
137 { APP_ID, "test_book_15", "wxat" },
138 { "test_subject_9", APP_ID, "w" },
139 { "test_subject_10", APP_ID, "x" },
140 { "test_subject_11", APP_ID, "w" },
141 { "test_subject_12", APP_ID, "x" },
142 { "test_subject_13", APP_ID, "wx" },
143 { "test_subject_14", APP_ID, "wx" },
144 { "test_subject_15", APP_ID, "wxat" }};
146 // Rules from test_privilege_control_rules.smack
147 // minus test_privilege_control_rules_no_r.smack
148 const std::vector< std::vector<std::string> > rules2_r = {
149 { APP_ID, "test_book_8", "r" },
150 { APP_ID, "test_book_11", "r" },
151 { APP_ID, "test_book_12", "r" },
152 { APP_ID, "test_book_14", "r" },
153 { APP_ID, "test_book_15", "r" },
154 { "test_subject_8", APP_ID, "r" },
155 { "test_subject_11", APP_ID, "r" },
156 { "test_subject_12", APP_ID, "r" },
157 { "test_subject_14", APP_ID, "r" },
158 { "test_subject_15", APP_ID, "r" }};
163 typedef std::unique_ptr<smack_accesses,std::function<void(smack_accesses*)>> SmackUniquePtr;
165 const char* OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_blahblah.smack";
166 const char* WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
167 const char* OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
168 const char* OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_blahblah.dac";
169 const char* WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac";
170 const char* OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
171 const char* BLAHBLAH_FEATURE = "http://feature/blah/blahblah";
174 * Check if every rule is true.
175 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
177 int test_have_all_accesses(const std::vector< std::vector<std::string> >& rules){
179 for(uint i =0; i<rules.size();++i ){
180 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
188 * Check if every rule is true.
189 * @return 1 if ANY rule in SMACK, 0 if
191 int test_have_any_accesses(const std::vector< std::vector<std::string> >& rules){
193 for(uint i =0; i<rules.size();++i ){
194 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
201 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
203 int nftw_remove_labels(const char *fpath, const struct stat *sb,
204 int typeflag, struct FTW *ftwbuf)
206 smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
207 smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
208 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
213 int nftw_set_labels_non_app_dir(const char *fpath, const struct stat *sb,
214 int typeflag, struct FTW *ftwbuf)
216 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
217 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
218 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
223 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat *sb,
224 int typeflag, struct FTW *ftwbuf)
230 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
231 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
232 result = strcmp(CANARY_LABEL, label);
233 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
236 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
237 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
238 result = strcmp(CANARY_LABEL, label);
239 RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
242 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
243 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
244 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
249 int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
250 int typeflag, struct FTW *ftwbuf)
256 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
257 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
258 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
259 result = strcmp(APPID_DIR, label);
260 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
263 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
264 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
265 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
266 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
267 result = strcmp(APPID_DIR, label);
268 RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
270 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
273 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
274 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
275 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
280 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
281 int typeflag, struct FTW *ftwbuf)
287 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
288 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
289 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
290 result = strcmp(APPID_SHARED_DIR, label);
291 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
294 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
295 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
296 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
299 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
300 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
301 if (S_ISDIR(sb->st_mode)) {
302 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
303 result = strcmp("TRUE", label);
304 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
306 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
311 int file_exists(const char* path)
313 FILE* file = fopen(path, "r");
321 void osp_blahblah_check(int line_no, const std::vector<std::string>& rules)
323 std::ifstream smack_file(OSP_BLAHBLAH);
324 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
326 auto it = rules.begin();
328 while(std::getline(smack_file,line)) {
329 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
330 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
334 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
339 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned>& gids)
341 std::ifstream dac_file(OSP_BLAHBLAH_DAC);
342 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC);
344 auto it = gids.begin();
346 while(std::getline(dac_file,line)) {
347 std::istringstream is(line);
350 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
351 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
355 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
360 void remove_smack_files()
363 unlink(OSP_BLAHBLAH);
364 unlink(WRT_BLAHBLAH);
365 unlink(OTHER_BLAHBLAH);
366 unlink(OSP_BLAHBLAH_DAC);
367 unlink(WRT_BLAHBLAH_DAC);
368 unlink(OTHER_BLAHBLAH_DAC);
371 int cleaning_smack_app_files (void)
373 unlink(SMACK_RULES_DIR APP_TEST_APP_1);
375 unlink(SMACK_RULES_DIR APP_TEST_APP_2);
377 unlink(SMACK_RULES_DIR APP_TEST_APP_3);
379 unlink(SMACK_RULES_DIR APP_TEST_AV_1);
381 unlink(SMACK_RULES_DIR APP_TEST_AV_2);
383 unlink(SMACK_RULES_DIR APP_TEST_AV_3);
388 int cleaning_smack_database_files (void)
393 unlink(SMACK_APPS_LABELS_DATABASE);
394 fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
400 unlink(SMACK_AVS_LABELS_DATABASE);
401 fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
411 * Test setting labels for all files and folders in given path.
413 RUNNER_TEST(privilege_control02_app_label_dir)
417 result = app_label_shared_dir(APP_ID, APP_ID, TEST_APP_DIR);
418 RUNNER_ASSERT_MSG(result != 0, "app_label_shared_dir(APP_ADD, APP_ID) == " << result);
420 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
421 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
423 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
424 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
426 result = app_label_dir(APPID_DIR, TEST_APP_DIR);
427 RUNNER_ASSERT_MSG(result == 0, "app_label_dir() failed");
429 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
430 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
432 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
433 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
436 RUNNER_TEST(privilege_control03_app_label_shared_dir)
440 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
441 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
443 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
444 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
446 result = app_label_shared_dir(APP_ID, APPID_SHARED_DIR, TEST_APP_DIR);
447 RUNNER_ASSERT_MSG(result == 0, "app_label_shared_dir() failed");
449 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
450 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
452 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
453 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
458 * Add permisions from test_privilege_control_rules template
460 RUNNER_TEST(privilege_control04_add_permissions)
462 int result = app_add_permissions(APP_ID, PRIVS);
463 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
464 " Error adding app permissions. Result: " << result);
466 // Check if the accesses are realy applied..
467 result = test_have_all_accesses(rules);
468 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
471 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
472 RUNNER_ASSERT_MSG(pFile != NULL,
473 "SMACK file NOT created!. Errno: " << errno);
476 fseek(pFile, 0L, SEEK_END);
477 int smack_file_length = ftell(pFile);
478 RUNNER_ASSERT_MSG(smack_file_length>0,
479 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
487 * Revoke permissions from the list. Should be executed as privileged user.
489 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
493 // Revoke permissions
494 result = app_revoke_permissions(APP_ID);
495 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
496 "Error revoking app permissions. Result: " << result);
498 // Are all the permissions revoked?
499 result = test_have_any_accesses(rules);
500 RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
503 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
506 RUNNER_ASSERT_MSG(false,
507 "SMACK file exists after revoke!");
511 static void read_gids(std::set<unsigned> &set, const char* file_path)
513 FILE *f = fopen(file_path, "r");
514 RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
516 while (fscanf(f, "%u\n", &gid) == 1) {
521 RUNNER_TEST(privilege_control05_add_shared_dir_readers)
524 #define TEST_OBJ "TEST_OBJECT"
525 #define TEST_OBJ_SOME_OTHER "TEST_OBJA"
526 #define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----"
527 #define test_string_21 "TEST_trzy TEST_OBJA -wx--\n"
528 #define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n"
535 const char *app_labels_wrong[] = {"-TEST_raz", NULL};
536 const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
537 const int READ_BUF_SIZE = 1000;
538 char buf[READ_BUF_SIZE];
540 struct smack_accesses * rules = NULL;
542 //test what happens when the label is not correct SMACK label
543 result = smack_accesses_new(&rules);
544 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
546 result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
547 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here");
549 result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
550 RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here");
552 smack_accesses_free(rules);
554 //ok, now the correct list of apps
555 result = smack_accesses_new(&rules);
556 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
558 for (i = 0; i < 3; i++) {
560 (void)app_uninstall(app_labels[i]);
561 result = app_install(app_labels[i]);
562 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install.");
564 asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i]);
565 fd = open(path, O_WRONLY, 0644);
566 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
569 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
570 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
573 smack_accesses_free(rules);
574 result = smack_accesses_new(&rules);
575 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
576 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
578 result = smack_accesses_apply(rules);
579 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
581 result = smack_accesses_save(rules, fd);
582 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
589 smack_accesses_free(rules);
591 // THE TEST - accesses
593 result = add_shared_dir_readers(TEST_OBJ,app_labels);
594 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed");
596 result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
597 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
599 result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
600 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
602 result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
603 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
605 result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
606 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
608 result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
609 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
612 //TEST the operations on empty files
614 asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0]);
615 file = fopen(path, "r");
617 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
619 fgets(buf, READ_BUF_SIZE, file);
620 result = strcmp(buf, test_string_01);
621 RUNNER_ASSERT_MSG( result!=0, "add_shared_dir_readers ERROR, file not formatted" << path );
626 //TEST the operations on non empty files
627 asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2]);
629 file = fopen(path, "r");
630 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
632 fgets(buf, READ_BUF_SIZE, file);
633 result = strcmp(buf, test_string_21);
634 RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
636 fgets(buf, READ_BUF_SIZE, file);
637 result = strcmp(buf, test_string_22);
638 RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
646 * Set APP privileges.
648 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege)
653 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
654 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
656 // Set APP privileges
657 result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
658 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
660 // Check if SMACK label really set
662 result = smack_new_label_from_self(&label);
663 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
664 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
665 result = strcmp(APP_ID, label);
666 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
668 // Check if DAC privileges really set
669 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
670 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
672 result = strcmp(getenv("HOME"), APP_HOME_DIR);
673 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR");
675 result = strcmp(getenv("USER"), APP_USER_NAME);
676 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
678 std::set<unsigned> groups_check;
679 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
680 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE);
682 int groups_cnt = getgroups(0, NULL);
683 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
684 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
685 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
686 getgroups(groups_cnt, groups_list);
688 for (int i = 0; i < groups_cnt; ++i) {
689 if (groups_check.erase(groups_list[i]) == 0) {
690 // getgroups() may also return process' main group
691 if (groups_list[i] == getgid())
692 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
695 std::string groups_left;
696 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
697 groups_left.append(std::to_string(*it)).append(" ");
699 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
702 RUNNER_TEST(privilege_control08_app_give_access)
704 const char *subject = "lkjq345v34sfa";
705 const char *object = "lk9290f92lkjz";
706 smack_accesses *tmp = NULL;
708 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
710 SmackUniquePtr smack(tmp, smack_accesses_free);
712 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-"));
713 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
715 app_give_access(subject, object, "wt");
717 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat"));
718 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
720 app_revoke_access(subject, object);
722 RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra"));
723 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
724 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
725 RUNNER_ASSERT(0 == smack_have_access(subject, object, "t"));
727 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-"));
728 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
731 RUNNER_TEST(privilege_control09_app_give_access)
733 const char *subject = "ljk132flkjv";
734 const char *object = "jjsiqsc32vs";
735 smack_accesses *tmp = NULL;
737 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
739 SmackUniquePtr smack(tmp, smack_accesses_free);
741 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-"));
742 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
744 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw"));
745 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx"));
747 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt"));
748 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
750 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object));
752 RUNNER_ASSERT(1 == smack_have_access(subject, object, "t"));
753 RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));
754 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
755 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
756 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
758 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----"));
759 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
763 * Add new API feature
765 RUNNER_TEST(privilege_control11_add_api_feature)
769 remove_smack_files();
772 // argument validation
773 result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
774 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
776 result = add_api_feature(APP_TYPE_OSP,"" , NULL, NULL, 0);
777 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
780 // already existing features
781 result = add_api_feature(APP_TYPE_OSP,"messaging" , NULL, NULL, 0);
782 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
784 result = add_api_feature(APP_TYPE_OSP,"blahblah/messaging" , NULL, NULL, 0);
785 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
787 result = add_api_feature(APP_TYPE_WGT,"blahblahblah/messaging" , NULL, NULL, 0);
788 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
790 result = add_api_feature(APP_TYPE_OTHER,"blah/messaging" , NULL, NULL, 0);
791 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
795 result = add_api_feature(APP_TYPE_OSP,"blahblah" , NULL, NULL, 0);
796 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
798 result = add_api_feature(APP_TYPE_WGT,"blahblah" , NULL, NULL, 0);
799 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
801 result = add_api_feature(APP_TYPE_OTHER,"blahblah" , NULL, NULL, 0);
802 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
805 // smack files existence
806 result = file_exists(OSP_BLAHBLAH);
807 RUNNER_ASSERT(result == -1);
809 result = file_exists(WRT_BLAHBLAH);
810 RUNNER_ASSERT(result == -1);
812 result = file_exists(OTHER_BLAHBLAH);
813 RUNNER_ASSERT(result == -1);
817 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , { NULL }, NULL, 0);
818 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
819 result = file_exists(OSP_BLAHBLAH);
820 RUNNER_ASSERT(result == -1);
822 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "", NULL }, NULL, 0);
823 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
824 result = file_exists(OSP_BLAHBLAH);
825 RUNNER_ASSERT(result == 0);
826 remove_smack_files();
828 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
829 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
830 result = file_exists(OSP_BLAHBLAH);
831 RUNNER_ASSERT(result == 0);
832 remove_smack_files();
836 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed", NULL }, NULL, 0);
837 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
838 result = file_exists(OSP_BLAHBLAH);
839 RUNNER_ASSERT(result == -1);
841 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed", NULL }, NULL, 0);
842 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
843 result = file_exists(OSP_BLAHBLAH);
844 RUNNER_ASSERT(result == -1);
846 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "-malformed malformed rwxat", NULL }, NULL, 0);
847 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
848 result = file_exists(OSP_BLAHBLAH);
849 RUNNER_ASSERT(result == -1);
851 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "~/\"\\\ malformed rwxat", NULL }, NULL, 0);
852 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
853 result = file_exists(OSP_BLAHBLAH);
854 RUNNER_ASSERT(result == -1);
856 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object rwxat something else", NULL }, NULL, 0);
857 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
858 result = file_exists(OSP_BLAHBLAH);
859 RUNNER_ASSERT(result == -1);
863 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed maaaaaalformed", NULL }, NULL, 0);
864 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
865 osp_blahblah_check(__LINE__, { "malformed malformed r--a-" });
866 remove_smack_files();
868 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object foo", NULL }, NULL, 0);
869 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
870 osp_blahblah_check(__LINE__, { "subject object -----" });
871 remove_smack_files();
873 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
874 "subject object\t rwxat",
876 "subject2\tobject2 txarw",
879 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
880 osp_blahblah_check(__LINE__, { "subject object rwxat", "subject2 object2 rwxat"});
881 remove_smack_files();
883 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
884 "Sub::jE,ct object a-RwX",
886 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
887 osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa-"});
888 remove_smack_files();
890 // TODO For now identical/complementary rules are not merged.
891 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
892 "subject object rwxat",
894 "subject object txarw",
897 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
898 osp_blahblah_check(__LINE__, { "subject object rwxat", "subject object rwxat"});
899 remove_smack_files();
903 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},0);
904 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
905 osp_blahblah_check(__LINE__, { "a a ---a-"});
906 result = file_exists(OSP_BLAHBLAH_DAC);
907 RUNNER_ASSERT(result == -1);
908 remove_smack_files();
912 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},3);
913 printf("%d \n", result);
914 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
915 osp_blahblah_check(__LINE__, { "a a ---a-"});
916 osp_blahblah_dac_check(__LINE__, {0,1,2});
917 remove_smack_files();
919 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},1);
920 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
921 osp_blahblah_check(__LINE__, { "a a ---a-"});
922 osp_blahblah_dac_check(__LINE__, {0});
923 remove_smack_files();
925 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){1,1,1},3);
926 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
927 osp_blahblah_check(__LINE__, { "a a ---a-"});
928 osp_blahblah_dac_check(__LINE__, {1,1,1});
929 remove_smack_files();
933 * Check app_install function
935 RUNNER_TEST(privilege_control01_app_install)
941 unlink(SMACK_RULES_DIR APP_ID);
943 app_uninstall(APP_ID);
945 result = app_install(APP_ID);
946 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
948 // checking if file really exists
949 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
950 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << path << " : " << result << ". Errno: " << strerror(errno));
954 // try install second time app with the same ID - it should pass.
955 result = app_install(APP_ID);
956 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
960 * Check app_install function
962 RUNNER_TEST(privilege_control07_app_uninstall)
968 result = app_uninstall(APP_ID);
969 RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result <<". Errno: " << strerror(errno));
971 // checking if file really exists
972 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
973 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall");
978 void checkOnlyAvAccess(const char* av_id, const char* app_id, const char* comment){
980 result = smack_have_access(av_id, app_id, "rwx");
981 RUNNER_ASSERT_MSG(result == 1,
982 "Error while checking " << av_id << " rwx access to "
983 << app_id << " " << comment << " Result: " << result);
984 result = smack_have_access(av_id, app_id, "a");
985 RUNNER_ASSERT_MSG(result == 0,
986 "Error while checking " << av_id << " a access to "
987 << app_id << " " << comment << " Result: " << result);
988 result = smack_have_access(av_id, app_id, "t");
989 RUNNER_ASSERT_MSG(result == 0,
990 "Error while checking " << av_id << " t access to "
991 << app_id << " " << comment << " Result: " << result);
995 * Check app_register_av function
996 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
998 RUNNER_TEST(privilege_control10_app_register_av)
1003 struct smack_accesses * rules = NULL;
1007 smack_revoke_subject(APP_TEST_AV_1);
1008 smack_revoke_subject(APP_TEST_AV_2);
1010 cleaning_smack_app_files();
1011 cleaning_smack_database_files();
1013 // Adding two apps before antivir
1014 result = app_install(APP_TEST_APP_1);
1015 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1017 result = app_install(APP_TEST_APP_2);
1018 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1021 result = app_register_av(APP_TEST_AV_1);
1022 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
1024 // Checking added apps accesses
1025 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
1026 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
1029 result = app_install(APP_TEST_APP_3);
1030 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1032 // Checking app accesses
1033 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)");
1034 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)");
1035 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)");
1037 // Adding second antivir
1038 result = app_register_av(APP_TEST_AV_2);
1039 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
1041 // Checking app accesses
1042 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1043 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1044 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1045 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1046 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1047 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1050 smack_revoke_subject(APP_TEST_AV_1);
1051 smack_revoke_subject(APP_TEST_AV_2);
1053 cleaning_smack_app_files();
1054 cleaning_smack_database_files();
1058 * Grant SMACK permissions based on permissions list.
1060 RUNNER_TEST(privilege_control11_app_enable_permissions)
1063 int smack_file_length;
1067 * Test - Enabling all permissions with persistant mode enabled
1070 result = app_revoke_permissions(APP_ID);
1071 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1072 "Error revoking app permissions. Result: " << result);
1074 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1075 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1076 " Error enabling app permissions. Result: " << result);
1078 // Check if the accesses are realy applied..
1079 result = test_have_all_accesses(rules2);
1080 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1083 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1084 RUNNER_ASSERT_MSG(pFile != NULL,
1085 "SMACK file NOT created!. Errno: " << errno);
1088 fseek(pFile, 0L, SEEK_END);
1089 smack_file_length = ftell(pFile);
1090 RUNNER_ASSERT_MSG(smack_file_length>0,
1091 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
1097 result = app_revoke_permissions(APP_ID);
1098 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1099 "Error revoking app permissions. Result: " << result);
1102 * Test - Enabling all permissions with persistant mode disabled
1105 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
1106 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1107 " Error enabling app permissions. Result: " << result);
1109 // Check if the accesses are realy applied..
1110 result = test_have_all_accesses(rules2);
1111 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1114 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1115 RUNNER_ASSERT_MSG(pFile==NULL,
1116 "SMACK file created!.");
1119 result = app_revoke_permissions(APP_ID);
1120 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1121 "Error revoking app permissions. Result: " << result);
1124 * Test - Enabling all permissions in two complementary files
1127 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
1128 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1129 " Error enabling app permissions. Result: " << result);
1131 // Check if the accesses are realy applied..
1132 result = test_have_all_accesses(rules2);
1133 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1136 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1137 RUNNER_ASSERT_MSG(pFile != NULL,
1138 "SMACK file NOT created!. Errno: " << errno);
1141 fseek(pFile, 0L, SEEK_END);
1142 smack_file_length = ftell(pFile);
1143 RUNNER_ASSERT_MSG(smack_file_length>0,
1144 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
1150 result = app_revoke_permissions(APP_ID);
1151 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1152 "Error revoking app permissions. Result: " << result);
1155 * Test - Enabling some permissions and then enabling complementary permissions
1158 // Enable permission for rules 2 no r
1159 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1160 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1161 " Error enabling app permissions without r. Result: " << result);
1163 // Check if the accesses are realy applied..
1164 result = test_have_all_accesses(rules2_no_r);
1165 RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
1168 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1169 RUNNER_ASSERT_MSG(pFile != NULL,
1170 "SMACK file NOT created!. Errno: " << errno);
1173 fseek(pFile, 0L, SEEK_END);
1174 smack_file_length = ftell(pFile);
1175 RUNNER_ASSERT_MSG(smack_file_length>0,
1176 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
1181 // Enable permission for rules 2
1182 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1183 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1184 " Error enabling app all permissions. Result: " << result);
1186 // Check if the accesses are realy applied..
1187 result = test_have_all_accesses(rules2);
1188 RUNNER_ASSERT_MSG(result==1, "Permissions all not added.");
1191 result = app_revoke_permissions(APP_ID);
1192 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1193 "Error revoking app permissions. Result: " << result);
1196 * Test - Enabling some permissions and then enabling all permissions
1199 // Enable permission for rules 2 no r
1200 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1201 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1202 " Error enabling app permissions without r. Result: " << result);
1204 // Check if the accesses are realy applied..
1205 result = test_have_all_accesses(rules2_no_r);
1206 RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
1209 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1210 RUNNER_ASSERT_MSG(pFile != NULL,
1211 "SMACK file NOT created!. Errno: " << errno);
1214 fseek(pFile, 0L, SEEK_END);
1215 smack_file_length = ftell(pFile);
1216 RUNNER_ASSERT_MSG(smack_file_length>0,
1217 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
1222 // Enable permission for rules 2
1223 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
1224 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1225 " Error enabling app permissions with only r. Result: " << result);
1227 // Check if the accesses are realy applied..
1228 result = test_have_all_accesses(rules2);
1229 RUNNER_ASSERT_MSG(result==1, "Permissions with only r not added.");
1232 result = app_revoke_permissions(APP_ID);
1233 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1234 "Error revoking app permissions. Result: " << result);
1238 * Remove previously granted SMACK permissions based on permissions list.
1240 RUNNER_TEST(privilege_control12_app_disable_permissions)
1244 * Test - disable all granted permissions.
1248 // Prepare permissions that we want to disable
1249 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1250 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1251 " Error enabling app permissions. Result: " << result);
1253 // Disable permissions
1254 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1255 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1256 "Error disabling app permissions. Result: " << result);
1258 // Are all the permissions disabled?
1259 result = test_have_any_accesses(rules2);
1260 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1263 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1266 // Prepare permissions that will not be disabled
1267 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
1268 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1269 " Error adding app first permissions. Result: " << result);
1271 // Prepare permissions that we want to disable
1272 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1273 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1274 " Error adding app second permissions. Result: " << result);
1276 // Disable second permissions
1277 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1278 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1279 "Error disabling app second permissions. Result: " << result);
1281 // Are all second permissions disabled?
1282 result = test_have_any_accesses(rules2);
1283 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1285 // Are all first permissions not disabled?
1286 result = test_have_all_accesses(rules);
1287 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1289 // Disable first permissions
1290 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
1291 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1292 "Error disabling app first permissions. Result: " << result);
1294 // Are all second permissions disabled?
1295 result = test_have_any_accesses(rules);
1296 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1299 * Test - disable only no r granted permissions.
1302 // Prepare permissions
1303 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1304 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1305 " Error adding app permissions. Result: " << result);
1307 // Disable same permissions without r
1308 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
1309 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1310 "Error disabling app no r permissions. Result: " << result);
1312 // Is any r permissions disabled?
1313 result = test_have_all_accesses(rules2_r);
1314 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1315 // Are all no r permissions disabled?
1316 result = test_have_any_accesses(rules2_no_r);
1317 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1319 // Prepare permissions
1320 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1321 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1322 " Error adding app no r permissions. Result: " << result);
1324 // Disable all permissions
1325 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1326 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1327 "Error disabling app permissions. Result: " << result);
1331 * Reset SMACK permissions for an application by revoking all previously
1332 * granted rules and enabling them again from a rules file from disk.
1335 RUNNER_TEST(privilege_control13_app_reset_permissions)
1341 * Test - doing reset and checking if rules exist again.
1344 // Prepare permissions to reset
1345 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1346 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1347 " Error adding app permissions. Result: " << result);
1349 // Reset permissions
1350 result = app_reset_permissions(APP_ID);
1351 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1352 "Error reseting app permissions. Result: " << result);
1354 // Are all second permissions not disabled?
1355 result = test_have_all_accesses(rules2);
1356 RUNNER_ASSERT_MSG(result==1, "Not all permissions added.");
1358 // Disable permissions
1359 result = app_revoke_permissions(APP_ID);
1360 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1361 "Error disabling app permissions. Result: " << result);
1366 * Make two applications "friends", by giving them both full permissions on
1369 RUNNER_TEST(privilege_control14_app_add_friend)
1374 * Test - making friends with no permissions on each other
1377 result = app_revoke_permissions(APP_FRIEND_1);
1378 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1379 "Error revoking app permissions. Result: " << result);
1380 result = app_revoke_permissions(APP_FRIEND_2);
1381 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1382 "Error revoking app permissions. Result: " << result);
1384 app_uninstall(APP_FRIEND_1);
1385 app_uninstall(APP_FRIEND_2);
1387 // Installing friends to be
1388 result = app_install(APP_FRIEND_1);
1389 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1390 " Error installing first app. Result: " << result);
1391 result = app_install(APP_FRIEND_2);
1392 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1393 " Error installing second app. Result: " << result);
1396 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1397 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1398 " Error making friends. Errno: " << result);
1400 // Checking if friends were made
1401 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1402 RUNNER_ASSERT_MSG(result == 1,
1403 " Error first one sided friednship failed. Result: " << result);
1404 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1405 RUNNER_ASSERT_MSG(result == 1,
1406 " Error second one sided friednship failed. Result: " << result);
1409 result = app_revoke_permissions(APP_FRIEND_1);
1410 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1411 "Error revoking app permissions. Result: " << result);
1412 result = app_revoke_permissions(APP_FRIEND_2);
1413 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1414 "Error revoking app permissions. Result: " << result);
1416 app_uninstall(APP_FRIEND_1);
1417 app_uninstall(APP_FRIEND_2);
1420 * Test - making friends with nonexisting friend
1423 // Installing one friend
1424 result = app_install(APP_FRIEND_1);
1425 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1426 " Error installing first app. Errno: " << result);
1428 // Adding imaginairy friend as second
1429 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1430 RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
1431 " Error making friends (first) with imaginairy friend succeeded. Result: "
1433 // Adding imaginairy friend as first
1434 result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
1435 RUNNER_ASSERT_MSG(result != PC_OPERATION_SUCCESS,
1436 " Error making friends (second) with imaginairy friend succeeded. Result: "
1439 result = app_revoke_permissions(APP_FRIEND_1);
1440 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1441 "Error revoking app permissions. Result: " << result);
1442 result = app_revoke_permissions(APP_FRIEND_2);
1443 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1444 "Error revoking app permissions. Result: " << result);
1446 app_uninstall(APP_FRIEND_1);
1447 app_uninstall(APP_FRIEND_2);
1450 * Test - making friends with some permissions already added
1455 struct smack_accesses * rulesFriend = NULL;
1457 std::vector<std::string> accessesFriend =
1458 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
1460 // Installing friends to be
1461 result = app_install(APP_FRIEND_1);
1462 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1463 " Error installing first app. Result: " << result);
1464 result = app_install(APP_FRIEND_2);
1465 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1466 " Error installing second app. Result: " << result);
1468 for(i = 0; i<accessesFriend.size(); ++i)
1470 for(j = 0; j<accessesFriend.size(); ++j)
1473 // Adding rules before making friends
1474 result = smack_accesses_new(&rulesFriend);
1475 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1476 "Error in smack_accesses_new. Result: " << result);
1478 result = smack_accesses_add(rulesFriend,
1479 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
1480 RUNNER_ASSERT_MSG(result == 0,
1481 "Unable to add modify rulesFirend (first). Result: " << result);
1482 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
1483 APP_FRIEND_1, accessesFriend[j].c_str());
1484 RUNNER_ASSERT_MSG(result == 0,
1485 "Unable to add modify rulesFirend (second). Result: " << result);
1487 result = smack_accesses_apply(rulesFriend);
1488 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1489 "Error in smack_accesses_apply. Result: " << result);
1492 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1493 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1494 " Error making friends. Result: " << result);
1496 // Checking if friends were made
1497 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1498 RUNNER_ASSERT_MSG(result == 1,
1499 " Error first one sided friednship failed. Result: " << result);
1500 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1501 RUNNER_ASSERT_MSG(result == 1,
1502 " Error second one sided friednship failed. Result: " << result);
1504 // Deleting all rules between friends
1505 smack_accesses_add_modify(rulesFriend,
1506 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
1507 smack_accesses_add_modify(rulesFriend,
1508 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
1510 result = smack_accesses_apply(rulesFriend);
1512 smack_accesses_free(rulesFriend);
1519 result = app_revoke_permissions(APP_FRIEND_1);
1520 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1521 "Error revoking app permissions. Result: " << result);
1522 result = app_revoke_permissions(APP_FRIEND_2);
1523 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1524 "Error revoking app permissions. Result: " << result);
1526 app_uninstall(APP_FRIEND_1);
1527 app_uninstall(APP_FRIEND_2);
1530 static void smack_set_random_label_based_on_pid_on_self(void)
1533 std::stringstream ss;
1535 ss << "s-" << getpid() << "-" << getppid();
1536 result = smack_set_label_for_self(ss.str().c_str());
1537 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
1538 << ss.str().c_str() << ") failed");
1541 static void smack_unix_sock_server(int sock)
1547 fd = accept(sock, NULL, NULL);
1551 result = smack_new_label_from_self(&smack_label);
1556 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
1558 result = write(fd, smack_label, strlen(smack_label));
1559 if(result != strlen(smack_label)){
1563 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
1569 RUNNER_TEST(privilege_control15_app_id_from_socket)
1572 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1576 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1578 smack_set_random_label_based_on_pid_on_self();
1580 if (!pid) { /* child process, server */
1583 /* Set the process label before creating a socket */
1584 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1585 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
1587 (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
1590 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
1592 result = listen(sock, 1);
1595 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
1597 smack_unix_sock_server(sock);
1599 /* Change the process label with listening socket */
1600 smack_unix_sock_server(sock);
1603 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1604 /* Now running two concurrent servers.
1605 Test if socket label was unaffected by fork() */
1606 smack_unix_sock_server(sock);
1607 /* Let's give the two servers different labels */
1608 smack_unix_sock_server(sock);
1610 waitpid(pid, NULL, 0);
1612 } else { /* parent process, client */
1613 sleep(1); /* Give server some time to setup listening socket */
1615 for (i = 0; i < 4; ++i) {
1618 char smack_label1[SMACK_LABEL_LEN + 1];
1621 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1622 RUNNER_ASSERT_MSG(sock >= 0,
1623 "socket failed: " << strerror(errno));
1624 result = connect(sock,
1625 (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
1628 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
1632 result = read(sock, smack_label1, SMACK_LABEL_LEN);
1636 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
1638 smack_label1[result] = '\0';
1639 smack_label2 = app_id_from_socket(sock);
1640 if(smack_label2 == NULL){
1642 RUNNER_ASSERT_MSG(0, "app_id_from_socket failed");
1644 result = strcmp(smack_label1, smack_label2);
1647 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
1648 << "' != '" << smack_label2 << "-" << random() << "'");
1652 waitpid(pid, NULL, 0);