2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runer
34 #include <dpl/test/test_runner.h>
35 #include <dpl/test/test_runner_child.h>
36 #include <dpl/log/log.h>
37 #include <sys/types.h>
40 #include <sys/xattr.h>
41 #include <sys/smack.h>
42 #include <sys/types.h>
43 #include <sys/socket.h>
46 #include <privilege-control.h>
51 #define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
52 #define SMACK_STARTUP_RULES_FILE "/opt/etc/smack-app-early/accesses.d/rules"
53 #define SMACK_LOAD2 "/smack/load2"
54 #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
55 #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
56 #define APPID_DIR "test_APP_ID_dir"
57 #define APPID_SHARED_DIR "test_APP_ID_shared_dir"
58 #define CANARY_LABEL "tiny_yellow_canary"
60 #define APP_ID "test_APP"
61 #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
62 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
64 #define WGT_APP_ID "QwCqJ0ttyS"
65 #define WGT_PARTNER_APP_ID "7btsV1Y0sX"
66 #define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
67 #define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
68 #define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
69 #define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
70 #define OSP_APP_ID "uqNfgEjqc7"
71 #define OSP_PARTNER_APP_ID "j4RuPsZrNt"
72 #define OSP_PLATFORM_APP_ID "V5LKqDFBXm"
73 #define OSP_APP_PATH "/opt/usr/apps/uqNfgEjqc7/bin/PysiuMisiu123Osp"
74 #define OSP_PARTNER_APP_PATH "/opt/usr/apps/j4RuPsZrNt/bin/PysiuMisiu123OspPartner"
75 #define OSP_PLATFORM_APP_PATH "/opt/usr/apps/V5LKqDFBXm/bin/PysiuMisiu123OspPlatform"
76 #define EARLY_RULE_SUBJECT "livebox.web-provider"
77 #define EARLY_RULE_RIGHTS "rwx---"
79 const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
80 const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
81 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
82 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
83 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
84 const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
85 const char *PRIVS_OSP[] = { "test_privilege_control_rules_osp", NULL };
87 #define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
88 #define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
89 #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
90 #define LIBPRIVILEGE_TEST_DAC_FILE_OSP "/usr/share/privilege-control/OSP_test_privilege_control_rules_osp.dac"
92 #define APP_TEST_APP_1 "test-application1"
93 #define APP_TEST_APP_2 "test-application_2"
94 #define APP_TEST_APP_3 "test-app-3"
95 #define APP_TEST_AV_1 "test-antivirus1"
96 #define APP_TEST_AV_2 "test-antivirus_2"
97 #define APP_TEST_AV_3 "test-av-3"
99 #define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
100 #define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
101 #define SMACK_PUBLIC_DIRS_DATABASE "/opt/dbspace/.privilege_control_public_dirs.db"
102 #define SMACK_APPS_SETTINGS_LABELS_DATABASE "/opt/dbspace/.privilege_control_app_setting.db"
103 #define SMACK_SETTINGS_DIRS_DATABASE "/opt/dbspace/.privilege_control_setting_dir.db"
105 #define APP_TEST_SETTINGS_ASP1 "test-app-settings-asp1"
106 #define APP_TEST_SETTINGS_ASP2 "test-app-settings-asp2"
107 #define APP_TEST_AV_ASP1 "test-app-av-asp1"
108 #define APP_TEST_AV_ASP2 "test-app-av-asp2"
110 #define SOCK_PATH "/tmp/test-smack-socket"
114 #define APP_USER_NAME "app"
115 #define APP_HOME_DIR "/opt/home/app"
117 #define APP_FRIEND_1 "app_friend_1"
118 #define APP_FRIEND_2 "app_friend_2"
120 #define SMACK_ACC_LEN 6
122 // How many open file descriptors should ftw() function use?
123 #define FTW_MAX_FDS 16
125 // Rules from test_privilege_control_rules.smack
126 const std::vector< std::vector<std::string> > rules = {
127 { APP_ID, "test_book_1", "r" },
128 { APP_ID, "test_book_2", "w" },
129 { APP_ID, "test_book_3", "x" },
130 { APP_ID, "test_book_4", "rw" },
131 { APP_ID, "test_book_5", "rx" },
132 { APP_ID, "test_book_6", "wx" },
133 { APP_ID, "test_book_7", "rwx" },
134 { "test_subject_1", APP_ID, "r" },
135 { "test_subject_2", APP_ID, "w" },
136 { "test_subject_3", APP_ID, "x" },
137 { "test_subject_4", APP_ID, "rw" },
138 { "test_subject_5", APP_ID, "rx" },
139 { "test_subject_6", APP_ID, "wx" },
140 { "test_subject_7", APP_ID, "rwx" },
141 { APP_ID, APPID_SHARED_DIR, "rwxat"}
144 // Rules from test_privilege_control_rules2.smack
145 const std::vector< std::vector<std::string> > rules2 = {
146 { APP_ID, "test_book_8", "r" },
147 { APP_ID, "test_book_9", "w" },
148 { APP_ID, "test_book_10", "x" },
149 { APP_ID, "test_book_11", "rw" },
150 { APP_ID, "test_book_12", "rx" },
151 { APP_ID, "test_book_13", "wx" },
152 { APP_ID, "test_book_14", "rwx" },
153 { APP_ID, "test_book_15", "rwxat" },
154 { "test_subject_8", APP_ID, "r" },
155 { "test_subject_9", APP_ID, "w" },
156 { "test_subject_10", APP_ID, "x" },
157 { "test_subject_11", APP_ID, "rw" },
158 { "test_subject_12", APP_ID, "rx" },
159 { "test_subject_13", APP_ID, "wx" },
160 { "test_subject_14", APP_ID, "rwx" },
161 { "test_subject_15", APP_ID, "rwxat" }
164 // Rules from test_privilege_control_rules_no_r.smack
165 const std::vector< std::vector<std::string> > rules2_no_r = {
166 { APP_ID, "test_book_9", "w" },
167 { APP_ID, "test_book_10", "x" },
168 { APP_ID, "test_book_11", "w" },
169 { APP_ID, "test_book_12", "x" },
170 { APP_ID, "test_book_13", "wx" },
171 { APP_ID, "test_book_14", "wx" },
172 { APP_ID, "test_book_15", "wxat" },
173 { "test_subject_9", APP_ID, "w" },
174 { "test_subject_10", APP_ID, "x" },
175 { "test_subject_11", APP_ID, "w" },
176 { "test_subject_12", APP_ID, "x" },
177 { "test_subject_13", APP_ID, "wx" },
178 { "test_subject_14", APP_ID, "wx" },
179 { "test_subject_15", APP_ID, "wxat" }
182 // Rules from test_privilege_control_rules.smack
183 // minus test_privilege_control_rules_no_r.smack
184 const std::vector< std::vector<std::string> > rules2_r = {
185 { APP_ID, "test_book_8", "r" },
186 { APP_ID, "test_book_11", "r" },
187 { APP_ID, "test_book_12", "r" },
188 { APP_ID, "test_book_14", "r" },
189 { APP_ID, "test_book_15", "r" },
190 { "test_subject_8", APP_ID, "r" },
191 { "test_subject_11", APP_ID, "r" },
192 { "test_subject_12", APP_ID, "r" },
193 { "test_subject_14", APP_ID, "r" },
194 { "test_subject_15", APP_ID, "r" }
197 // Rules from test_privilege_control_rules_wgt.smack for wgt
198 const std::vector< std::vector<std::string> > rules_wgt = {
199 { WGT_APP_ID, "test_book_8", "r" },
200 { WGT_APP_ID, "test_book_9", "w" },
201 { WGT_APP_ID, "test_book_10", "x" },
202 { WGT_APP_ID, "test_book_11", "rw" },
203 { WGT_APP_ID, "test_book_12", "rx" },
204 { WGT_APP_ID, "test_book_13", "wx" },
205 { WGT_APP_ID, "test_book_14", "rwx" },
206 { WGT_APP_ID, "test_book_15", "rwxat" },
207 { "test_subject_8", WGT_APP_ID, "r" },
208 { "test_subject_9", WGT_APP_ID, "w" },
209 { "test_subject_10", WGT_APP_ID, "x" },
210 { "test_subject_11", WGT_APP_ID, "rw" },
211 { "test_subject_12", WGT_APP_ID, "rx" },
212 { "test_subject_13", WGT_APP_ID, "wx" },
213 { "test_subject_14", WGT_APP_ID, "rwx" },
214 { "test_subject_15", WGT_APP_ID, "rwxat" }
217 // Rules from test_privilege_control_rules_wgt.smack for wgt_partner
218 const std::vector< std::vector<std::string> > rules_wgt_partner = {
219 { WGT_PARTNER_APP_ID, "test_book_8", "r" },
220 { WGT_PARTNER_APP_ID, "test_book_9", "w" },
221 { WGT_PARTNER_APP_ID, "test_book_10", "x" },
222 { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
223 { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
224 { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
225 { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
226 { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
227 { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
228 { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
229 { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
230 { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
231 { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
232 { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
233 { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
234 { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }
237 // Rules from test_privilege_control_rules_wgt.smack for wgt_platform
238 const std::vector< std::vector<std::string> > rules_wgt_platform = {
239 { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
240 { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
241 { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
242 { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
243 { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
244 { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
245 { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
246 { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
247 { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
248 { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
249 { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
250 { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
251 { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
252 { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
253 { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
254 { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }
257 // Rules from test_privilege_control_rules_osp.smack for osp
258 const std::vector< std::vector<std::string> > rules_osp = {
259 { OSP_APP_ID, "test_book_8", "r" },
260 { OSP_APP_ID, "test_book_9", "w" },
261 { OSP_APP_ID, "test_book_10", "x" },
262 { OSP_APP_ID, "test_book_11", "rw" },
263 { OSP_APP_ID, "test_book_12", "rx" },
264 { OSP_APP_ID, "test_book_13", "wx" },
265 { OSP_APP_ID, "test_book_14", "rwx" },
266 { OSP_APP_ID, "test_book_15", "rwxat" },
267 { "test_subject_8", OSP_APP_ID, "r" },
268 { "test_subject_9", OSP_APP_ID, "w" },
269 { "test_subject_10", OSP_APP_ID, "x" },
270 { "test_subject_11", OSP_APP_ID, "rw" },
271 { "test_subject_12", OSP_APP_ID, "rx" },
272 { "test_subject_13", OSP_APP_ID, "wx" },
273 { "test_subject_14", OSP_APP_ID, "rwx" },
274 { "test_subject_15", OSP_APP_ID, "rwxat" }
277 // Rules from test_privilege_control_rules_osp.smack for osp_partner
278 const std::vector< std::vector<std::string> > rules_osp_partner = {
279 { OSP_PARTNER_APP_ID, "test_book_8", "r" },
280 { OSP_PARTNER_APP_ID, "test_book_9", "w" },
281 { OSP_PARTNER_APP_ID, "test_book_10", "x" },
282 { OSP_PARTNER_APP_ID, "test_book_11", "rw" },
283 { OSP_PARTNER_APP_ID, "test_book_12", "rx" },
284 { OSP_PARTNER_APP_ID, "test_book_13", "wx" },
285 { OSP_PARTNER_APP_ID, "test_book_14", "rwx" },
286 { OSP_PARTNER_APP_ID, "test_book_15", "rwxat" },
287 { "test_subject_8", OSP_PARTNER_APP_ID, "r" },
288 { "test_subject_9", OSP_PARTNER_APP_ID, "w" },
289 { "test_subject_10", OSP_PARTNER_APP_ID, "x" },
290 { "test_subject_11", OSP_PARTNER_APP_ID, "rw" },
291 { "test_subject_12", OSP_PARTNER_APP_ID, "rx" },
292 { "test_subject_13", OSP_PARTNER_APP_ID, "wx" },
293 { "test_subject_14", OSP_PARTNER_APP_ID, "rwx" },
294 { "test_subject_15", OSP_PARTNER_APP_ID, "rwxat" }
297 // Rules from test_privilege_control_rules_osp.smack for osp_platform
298 const std::vector< std::vector<std::string> > rules_osp_platform = {
299 { OSP_PLATFORM_APP_ID, "test_book_8", "r" },
300 { OSP_PLATFORM_APP_ID, "test_book_9", "w" },
301 { OSP_PLATFORM_APP_ID, "test_book_10", "x" },
302 { OSP_PLATFORM_APP_ID, "test_book_11", "rw" },
303 { OSP_PLATFORM_APP_ID, "test_book_12", "rx" },
304 { OSP_PLATFORM_APP_ID, "test_book_13", "wx" },
305 { OSP_PLATFORM_APP_ID, "test_book_14", "rwx" },
306 { OSP_PLATFORM_APP_ID, "test_book_15", "rwxat" },
307 { "test_subject_8", OSP_PLATFORM_APP_ID, "r" },
308 { "test_subject_9", OSP_PLATFORM_APP_ID, "w" },
309 { "test_subject_10", OSP_PLATFORM_APP_ID, "x" },
310 { "test_subject_11", OSP_PLATFORM_APP_ID, "rw" },
311 { "test_subject_12", OSP_PLATFORM_APP_ID, "rx" },
312 { "test_subject_13", OSP_PLATFORM_APP_ID, "wx" },
313 { "test_subject_14", OSP_PLATFORM_APP_ID, "rwx" },
314 { "test_subject_15", OSP_PLATFORM_APP_ID, "rwxat" }
318 typedef std::unique_ptr<smack_accesses,std::function<void (smack_accesses*)> > SmackUniquePtr;
320 const char *OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
321 const char *WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
322 const char *OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
323 const char *OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac";
324 const char *WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac";
325 const char *OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
326 const char *BLAHBLAH_FEATURE = "http://feature/blah/blahblah";
329 * Check if every rule is true.
330 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
332 int test_have_all_accesses(const std::vector< std::vector<std::string> > &rules)
335 for (uint i = 0; i < rules.size(); ++i) {
336 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
344 * Check if every rule is true.
345 * @return 1 if ANY rule in SMACK, 0 if
347 int test_have_any_accesses(const std::vector< std::vector<std::string> > &rules)
350 for (uint i = 0; i < rules.size(); ++i) {
351 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
358 int nftw_remove_labels(const char *fpath, const struct stat* /*sb*/,
359 int /*typeflag*/, struct FTW* /*ftwbuf*/)
361 smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
362 smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
363 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
368 int nftw_set_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
369 int /*typeflag*/, struct FTW* /*ftwbuf*/)
371 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
372 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
373 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
378 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat* /*sb*/,
379 int /*typeflag*/, struct FTW* /*ftwbuf*/)
385 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
386 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
387 result = strcmp(CANARY_LABEL, label);
388 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
391 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
392 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
393 result = strcmp(CANARY_LABEL, label);
394 RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
397 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
398 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
399 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
404 int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
405 int /*typeflag*/, struct FTW* /*ftwbuf*/)
411 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
412 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
413 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
414 result = strcmp(APPID_DIR, label);
415 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
418 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
419 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
420 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
421 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
422 result = strcmp(APPID_DIR, label);
423 RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
424 } else if (S_ISLNK(sb->st_mode)) {
426 char *target = realpath(fpath, NULL);
427 RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
429 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
430 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
432 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
433 result = strcmp(APPID_DIR, label);
434 RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
437 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
440 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
441 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
442 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
447 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
448 int /*typeflag*/, struct FTW* /*ftwbuf*/)
454 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
455 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
456 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
457 result = strcmp(APPID_SHARED_DIR, label);
458 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
460 result = smack_have_access(APP_ID, APPID_SHARED_DIR, "rwxat");
461 RUNNER_ASSERT_MSG(result == 1,
462 "Error rwxat access was not given shared dir. Subject: " <<
463 APP_ID << ". Object: " << APPID_SHARED_DIR << ". Result: " << result);
465 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
466 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
467 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
470 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
471 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
472 if (S_ISDIR(sb->st_mode)) {
473 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
474 result = strcmp("TRUE", label);
475 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
477 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
482 int check_labels_dir(const char *fpath, const struct stat *sb,
483 const char *labels_db_path, const char *dir_db_path,
489 char *scanf_label_format;
490 char label_temp[SMACK_LABEL_LEN + 1];
494 result = smack_lgetlabel(fpath, &label_gen, SMACK_LABEL_ACCESS);
495 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
496 RUNNER_ASSERT_MSG(label_gen != NULL, "ACCESS label on " << fpath << " is not set");
499 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
502 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
507 RUNNER_ASSERT_MSG(false, "EXEC label on " << fpath << " is set.");
511 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
515 RUNNER_ASSERT_MSG(false, "Could not get label for the path");
517 if (S_ISDIR(sb->st_mode)) {
521 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set");
523 result = strcmp("TRUE", label);
527 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is not set to TRUE");
529 } else if (label != NULL) {
532 RUNNER_ASSERT_MSG(false, "TRANSMUTE label on " << fpath << " is set");
537 if (0 > asprintf(&scanf_label_format, "%%%ds\\n", SMACK_LABEL_LEN)) {
539 RUNNER_ASSERT_MSG(false, "asprintf failed");
542 file_db = fopen(labels_db_path, "r");
543 if (file_db == NULL) {
545 free(scanf_label_format);
546 RUNNER_ASSERT_MSG(false, "Can not open database for apps");
548 while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
549 result = smack_have_access(label_temp, label_gen, access);
553 free(scanf_label_format);
554 RUNNER_ASSERT_MSG(false,
555 "Error " << access << " access was not given for subject: "
556 << label_temp << ". Result: " << result);
561 file_db = fopen(dir_db_path, "r");
562 if (file_db == NULL) {
564 free(scanf_label_format);
565 RUNNER_ASSERT_MSG(false, "Can not open database for dirs");
568 while (fscanf(file_db, scanf_label_format, label_temp) == 1) {
569 if (strcmp(label_gen, label_temp) == 0) {
574 free(scanf_label_format);
578 RUNNER_ASSERT_MSG(is_dir, "Error autogenerated label is not in dirs db.");
583 int nftw_check_labels_app_public_dir(const char *fpath, const struct stat *sb,
584 int /*typeflag*/, struct FTW* /*ftwbuf*/)
586 return check_labels_dir(fpath, sb,
587 SMACK_APPS_LABELS_DATABASE,
588 SMACK_PUBLIC_DIRS_DATABASE, "rx");
591 int nftw_check_labels_app_settings_dir(const char *fpath, const struct stat *sb,
592 int /*typeflag*/, struct FTW* /*ftwbuf*/)
594 return check_labels_dir(fpath, sb,
595 SMACK_APPS_SETTINGS_LABELS_DATABASE,
596 SMACK_SETTINGS_DIRS_DATABASE, "rwx");
599 int file_exists(const char *path)
601 FILE *file = fopen(path, "r");
609 void osp_blahblah_check(int line_no, const std::vector<std::string> &rules)
611 std::ifstream smack_file(OSP_BLAHBLAH);
612 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
614 auto it = rules.begin();
616 while (std::getline(smack_file,line)) {
617 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
618 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
622 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
627 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned> &gids)
629 std::ifstream dac_file(OSP_BLAHBLAH_DAC);
630 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC);
632 auto it = gids.begin();
634 while (std::getline(dac_file,line)) {
635 std::istringstream is(line);
638 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
639 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
643 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
648 void remove_smack_files()
651 unlink(OSP_BLAHBLAH);
652 unlink(WRT_BLAHBLAH);
653 unlink(OTHER_BLAHBLAH);
654 unlink(OSP_BLAHBLAH_DAC);
655 unlink(WRT_BLAHBLAH_DAC);
656 unlink(OTHER_BLAHBLAH_DAC);
659 int cleaning_smack_app_files (void)
661 unlink(SMACK_RULES_DIR APP_TEST_APP_1);
663 unlink(SMACK_RULES_DIR APP_TEST_APP_2);
665 unlink(SMACK_RULES_DIR APP_TEST_APP_3);
667 unlink(SMACK_RULES_DIR APP_TEST_AV_1);
669 unlink(SMACK_RULES_DIR APP_TEST_AV_2);
671 unlink(SMACK_RULES_DIR APP_TEST_AV_3);
676 int cleaning_smack_database_files (void)
681 unlink(SMACK_APPS_LABELS_DATABASE);
682 fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
688 unlink(SMACK_AVS_LABELS_DATABASE);
689 fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
694 //clean app settings database
695 unlink(SMACK_APPS_SETTINGS_LABELS_DATABASE);
696 fd = open(SMACK_APPS_SETTINGS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
701 //clean public dirs database
702 unlink(SMACK_PUBLIC_DIRS_DATABASE);
703 fd = open(SMACK_PUBLIC_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
708 //clean settings dirs database
709 unlink(SMACK_SETTINGS_DIRS_DATABASE);
710 fd = open(SMACK_SETTINGS_DIRS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
718 void add_lables_to_db()
722 file_db = fopen(SMACK_AVS_LABELS_DATABASE, "a");
723 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
724 << SMACK_AVS_LABELS_DATABASE << " can not be opened to apend!");
725 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
727 RUNNER_ASSERT_MSG(false, "Error writing to database file");
729 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
731 RUNNER_ASSERT_MSG(false, "Error writing to database file");
735 file_db = fopen(SMACK_APPS_SETTINGS_LABELS_DATABASE, "a");
736 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
737 << SMACK_APPS_SETTINGS_LABELS_DATABASE << " can not be opened to apend!");
738 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
740 RUNNER_ASSERT_MSG(false, "Error writing to database file");
742 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
744 RUNNER_ASSERT_MSG(false, "Error writing to database file");
748 file_db = fopen(SMACK_APPS_LABELS_DATABASE, "a");
749 RUNNER_ASSERT_MSG(file_db != NULL, "Error database file "
750 << SMACK_APPS_LABELS_DATABASE << " can not be opened to apend!");
751 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP1)) {
753 RUNNER_ASSERT_MSG(false, "Error writing to database file");
755 if (0 > fprintf(file_db, "%s\n", APP_TEST_AV_ASP2)) {
757 RUNNER_ASSERT_MSG(false, "Error writing to database file");
759 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP1)) {
761 RUNNER_ASSERT_MSG(false, "Error writing to database file");
763 if (0 > fprintf(file_db, "%s\n", APP_TEST_SETTINGS_ASP2)) {
765 RUNNER_ASSERT_MSG(false, "Error writing to database file");
771 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
774 * Test setting labels for all files and folders in given path.
776 RUNNER_TEST(privilege_control02_app_label_dir)
780 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
781 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
783 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
784 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
786 result = perm_app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
787 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
789 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
790 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
792 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
793 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
796 RUNNER_TEST(privilege_control03_app_label_shared_dir)
800 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
801 RUNNER_ASSERT_MSG(result != 0, "perm_app_setup_path(APP_ID, APP_ID) didn't fail");
803 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
804 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
806 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
807 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
809 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
810 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
812 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
813 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
815 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
816 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
820 * Add permisions from test_privilege_control_rules template
822 RUNNER_TEST(privilege_control04_add_permissions)
824 int result = app_add_permissions(APP_ID, PRIVS);
825 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
826 " Error adding app permissions. Result: " << result);
828 // Check if the accesses are realy applied..
829 result = test_have_all_accesses(rules);
830 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
833 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
834 RUNNER_ASSERT_MSG(pFile != NULL,
835 "SMACK file NOT created!. Errno: " << errno);
838 fseek(pFile, 0L, SEEK_END);
839 int smack_file_length = ftell(pFile);
840 RUNNER_ASSERT_MSG(smack_file_length > 0,
841 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
848 * Revoke permissions from the list. Should be executed as privileged user.
850 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
854 // Revoke permissions
855 result = perm_app_revoke_permissions(APP_ID);
856 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
857 "Error revoking app permissions. Result: " << result);
859 result = perm_app_revoke_permissions(WGT_APP_ID);
860 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
861 "Error revoking app permissions. Result: " << result);
862 result = perm_app_revoke_permissions(WGT_PARTNER_APP_ID);
863 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
864 "Error revoking app permissions. Result: " << result);
865 result = perm_app_revoke_permissions(WGT_PLATFORM_APP_ID);
866 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
867 "Error revoking app permissions. Result: " << result);
869 result = perm_app_revoke_permissions(OSP_APP_ID);
870 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
871 "Error revoking app permissions. Result: " << result);
872 result = perm_app_revoke_permissions(OSP_PARTNER_APP_ID);
873 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
874 "Error revoking app permissions. Result: " << result);
875 result = perm_app_revoke_permissions(OSP_PLATFORM_APP_ID);
876 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
877 "Error revoking app permissions. Result: " << result);
879 // Are all the permissions revoked?
880 result = test_have_any_accesses(rules);
881 RUNNER_ASSERT_MSG(result != 1, "Not all permisions revoked.");
882 result = test_have_any_accesses(rules_wgt);
883 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
884 result = test_have_any_accesses(rules_wgt_partner);
885 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
886 result = test_have_any_accesses(rules_wgt_platform);
887 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
889 result = test_have_any_accesses(rules);
890 RUNNER_ASSERT_MSG(result != 1, "Not all permisions revoked.");
891 result = test_have_any_accesses(rules_osp);
892 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
893 result = test_have_any_accesses(rules_osp_partner);
894 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
895 result = test_have_any_accesses(rules_osp_platform);
896 RUNNER_ASSERT_MSG(result == 0, "Not all permisions revoked.");
898 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
899 RUNNER_ASSERT_MSG(pFile != NULL,
900 "SMACK file removed!. Errno: " << errno);
902 fseek(pFile, 0L, SEEK_END);
903 int smack_file_length = ftell(pFile);
906 RUNNER_ASSERT_MSG(smack_file_length == 0,
907 "SMACK file not empty.. Errno: " << errno);
909 pFile = fopen(SMACK_RULES_DIR WGT_APP_ID, "rb");
910 RUNNER_ASSERT_MSG(pFile != NULL,
911 "SMACK file removed!. Errno: " << errno);
913 fseek(pFile, 0L, SEEK_END);
914 smack_file_length = ftell(pFile);
917 RUNNER_ASSERT_MSG(smack_file_length == 0,
918 "SMACK file not empty.. Errno: " << errno);
920 pFile = fopen(SMACK_RULES_DIR WGT_PARTNER_APP_ID, "rb");
921 RUNNER_ASSERT_MSG(pFile != NULL,
922 "SMACK file removed!. Errno: " << errno);
924 fseek(pFile, 0L, SEEK_END);
925 smack_file_length = ftell(pFile);
928 RUNNER_ASSERT_MSG(smack_file_length == 0,
929 "SMACK file not empty.. Errno: " << errno);
931 pFile = fopen(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, "rb");
932 RUNNER_ASSERT_MSG(pFile != NULL,
933 "SMACK file removed!. Errno: " << errno);
935 fseek(pFile, 0L, SEEK_END);
936 smack_file_length = ftell(pFile);
939 RUNNER_ASSERT_MSG(smack_file_length == 0,
940 "SMACK file not empty.. Errno: " << errno);
942 pFile = fopen(SMACK_RULES_DIR OSP_APP_ID, "rb");
943 RUNNER_ASSERT_MSG(pFile != NULL,
944 "SMACK file removed!. Errno: " << errno);
946 fseek(pFile, 0L, SEEK_END);
947 smack_file_length = ftell(pFile);
950 RUNNER_ASSERT_MSG(smack_file_length == 0,
951 "SMACK file not empty.. Errno: " << errno);
953 pFile = fopen(SMACK_RULES_DIR OSP_PARTNER_APP_ID, "rb");
954 RUNNER_ASSERT_MSG(pFile != NULL,
955 "SMACK file removed!. Errno: " << errno);
957 fseek(pFile, 0L, SEEK_END);
958 smack_file_length = ftell(pFile);
961 RUNNER_ASSERT_MSG(smack_file_length == 0,
962 "SMACK file not empty.. Errno: " << errno);
964 pFile = fopen(SMACK_RULES_DIR OSP_PLATFORM_APP_ID, "rb");
965 RUNNER_ASSERT_MSG(pFile != NULL,
966 "SMACK file removed!. Errno: " << errno);
968 fseek(pFile, 0L, SEEK_END);
969 smack_file_length = ftell(pFile);
972 RUNNER_ASSERT_MSG(smack_file_length == 0,
973 "SMACK file not empty.. Errno: " << errno);
976 static void read_gids(std::set<unsigned> &set, const char *file_path)
978 FILE *f = fopen(file_path, "r");
979 RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
981 while (fscanf(f, "%u\n", &gid) == 1) {
986 RUNNER_TEST(privilege_control05_add_shared_dir_readers)
988 #define TEST_OBJ "TEST_OBJECT"
989 #define TEST_OBJ_SOME_OTHER "TEST_OBJA"
990 #define test_string_01 "TEST_raz TEST_OBJECT r-x--- ------"
991 #define test_string_21 "TEST_trzy TEST_OBJA -wx---\n"
992 #define test_string_22 "TEST_trzy TEST_OBJECT r-x--- ------\n"
999 const char *app_labels_wrong[] = {"-TEST_raz", NULL};
1000 const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
1001 const int READ_BUF_SIZE = 1000;
1002 char buf[READ_BUF_SIZE];
1004 struct smack_accesses *rules = NULL;
1006 //test environment cleaning
1007 cleaning_smack_app_files();
1008 cleaning_smack_database_files();
1010 //test what happens when the label is not correct SMACK label
1011 result = smack_accesses_new(&rules);
1012 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new.");
1014 result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
1015 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here");
1017 result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
1018 RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here");
1020 smack_accesses_free(rules);
1022 //ok, now the correct list of apps
1023 result = smack_accesses_new(&rules);
1024 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new.");
1026 for (i = 0; i < 3; i++) {
1028 result = perm_app_revoke_permissions(app_labels[i]);
1029 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_revoke_permissions.");
1030 result = perm_app_uninstall(app_labels[i]);
1031 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
1032 result = perm_app_install(app_labels[i]);
1033 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
1035 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i]));
1036 fd = open(path, O_WRONLY, 0644);
1037 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
1040 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
1041 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
1044 smack_accesses_free(rules);
1045 result = smack_accesses_new(&rules);
1046 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
1047 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
1049 result = smack_accesses_apply(rules);
1050 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
1052 result = smack_accesses_save(rules, fd);
1053 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
1059 smack_accesses_free(rules);
1061 // THE TEST - accesses
1063 result = add_shared_dir_readers(TEST_OBJ,app_labels);
1064 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed");
1066 result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
1067 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1069 result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
1070 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1072 result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
1073 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1075 result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
1076 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1078 result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
1079 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
1082 //TEST the operations on empty files
1084 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0]));
1085 file = fopen(path, "r");
1087 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
1089 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1090 result = strcmp(buf, test_string_01);
1091 RUNNER_ASSERT_MSG( result != 0, "add_shared_dir_readers ERROR, file not formatted" << path);
1096 //TEST the operations on non empty files
1097 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2]));
1099 file = fopen(path, "r");
1100 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
1102 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1103 result = strcmp(buf, test_string_21);
1104 RUNNER_ASSERT_MSG( result == 0, "add_shared_dir_readers ERROR, file not formatted" << path);
1106 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
1107 result = strcmp(buf, test_string_22);
1108 RUNNER_ASSERT_MSG( result == 0, "add_shared_dir_readers ERROR, file not formatted" << path);
1116 * Set APP privileges.
1119 void check_groups(const char *dac_file)
1121 std::set<unsigned> groups_check;
1122 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
1123 read_gids(groups_check, dac_file);
1125 int groups_cnt = getgroups(0, NULL);
1126 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
1127 gid_t *groups_list = (gid_t*) calloc(groups_cnt, sizeof(gid_t));
1128 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
1129 RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
1131 for (int i = 0; i < groups_cnt; ++i) {
1132 //getgroups() can return multiple number of the same group
1133 //they are returned in sequence, so we will given number when last
1134 //element of this number is reached
1135 if ((i < groups_cnt - 1) && (groups_list[i + 1] == groups_list[i]))
1137 if (groups_check.erase(groups_list[i]) == 0) {
1138 // getgroups() may also return process' main group
1139 if (groups_list[i] != getgid())
1140 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
1144 std::string groups_left;
1145 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
1146 groups_left.append(std::to_string(*it)).append(" ");
1148 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
1151 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege)
1155 // Preset exec label
1156 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
1157 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
1160 * TODO This test should also verify perm_app_set_privilege behavior for OSP and
1161 * WRT apps. To do that we'll have to install real apps on device as a
1165 // Set APP privileges
1166 result = perm_app_set_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
1167 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1169 // Check if SMACK label really set
1171 result = smack_new_label_from_self(&label);
1172 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1173 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1174 result = strcmp(APP_ID, label);
1175 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1177 // Check if DAC privileges really set
1178 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
1179 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
1181 result = strcmp(getenv("HOME"), APP_HOME_DIR);
1182 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR");
1184 result = strcmp(getenv("USER"), APP_USER_NAME);
1185 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
1187 check_groups(LIBPRIVILEGE_TEST_DAC_FILE);
1191 * Set APP privileges. wgt.
1193 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt)
1197 result = perm_app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
1198 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1199 " Error enabling app permissions. Result: " << result);
1201 result = test_have_all_accesses(rules_wgt);
1202 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1204 result = perm_app_set_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
1205 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1207 // Check if SMACK label really set
1209 result = smack_new_label_from_self(&label);
1210 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1211 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1212 result = strcmp(WGT_APP_ID, label);
1213 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1216 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1220 * Set APP privileges. wgt_partner.
1222 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner)
1226 result = perm_app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
1227 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1228 " Error enabling app permissions. Result: " << result);
1230 result = test_have_all_accesses(rules_wgt_partner);
1231 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1233 result = perm_app_set_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
1234 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1236 // Check if SMACK label really set
1238 result = smack_new_label_from_self(&label);
1239 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1240 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1241 result = strcmp(WGT_PARTNER_APP_ID, label);
1242 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1244 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1248 * Set APP privileges. wgt_platform.
1250 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform)
1254 result = perm_app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
1255 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1256 " Error enabling app permissions. Result: " << result);
1258 result = test_have_all_accesses(rules_wgt_platform);
1259 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1261 result = perm_app_set_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
1262 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1264 // Check if SMACK label really set
1266 result = smack_new_label_from_self(&label);
1267 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1268 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1269 result = strcmp(WGT_PLATFORM_APP_ID, label);
1270 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1272 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_WGT);
1276 * Set APP privileges. osp app.
1278 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp)
1282 result = perm_app_enable_permissions(OSP_APP_ID, APP_TYPE_OSP, PRIVS_OSP, 1);
1283 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1284 " Error enabling app permissions. Result: " << result);
1286 result = test_have_all_accesses(rules_osp);
1287 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1289 result = perm_app_set_privilege(OSP_APP_ID, NULL, OSP_APP_PATH);
1290 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1292 // Check if SMACK label really set
1294 result = smack_new_label_from_self(&label);
1295 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1296 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1297 result = strcmp(OSP_APP_ID, label);
1298 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1300 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1304 * Set APP privileges. partner osp app.
1306 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_partner)
1310 result = perm_app_enable_permissions(OSP_PARTNER_APP_ID, APP_TYPE_OSP_PARTNER, PRIVS_OSP, 1);
1311 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1312 " Error enabling app permissions. Result: " << result);
1314 result = test_have_all_accesses(rules_osp_partner);
1315 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1317 result = perm_app_set_privilege(OSP_PARTNER_APP_ID, NULL, OSP_PARTNER_APP_PATH);
1318 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1320 // Check if SMACK label really set
1322 result = smack_new_label_from_self(&label);
1323 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1324 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1325 result = strcmp(OSP_PARTNER_APP_ID, label);
1326 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1328 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1332 * Set APP privileges. platform osp app.
1334 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_osp_platform)
1338 result = perm_app_enable_permissions(OSP_PLATFORM_APP_ID, APP_TYPE_OSP_PLATFORM, PRIVS_OSP, 1);
1339 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1340 " Error enabling app permissions. Result: " << result);
1342 result = test_have_all_accesses(rules_osp_platform);
1343 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1345 result = perm_app_set_privilege(OSP_PLATFORM_APP_ID, NULL, OSP_PLATFORM_APP_PATH);
1346 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in perm_app_set_privilege. Error: " << result);
1348 // Check if SMACK label really set
1350 result = smack_new_label_from_self(&label);
1351 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
1352 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
1353 result = strcmp(OSP_PLATFORM_APP_ID, label);
1354 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
1356 check_groups(LIBPRIVILEGE_TEST_DAC_FILE_OSP);
1360 * Add new API feature
1362 RUNNER_TEST(privilege_control11_add_api_feature)
1366 remove_smack_files();
1369 // argument validation
1370 result = perm_add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
1371 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1373 result = perm_add_api_feature(APP_TYPE_OSP,"", NULL, NULL, 0);
1374 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1377 // already existing features
1378 result = perm_add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read", NULL, NULL, 0);
1379 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1381 result = perm_add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms", NULL, NULL, 0);
1382 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1384 result = perm_add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging", NULL, NULL, 0);
1385 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1387 result = perm_add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging", NULL, NULL, 0);
1388 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1390 result = perm_add_api_feature(APP_TYPE_OTHER,"http://messaging", NULL, NULL, 0);
1391 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1393 result = perm_add_api_feature(APP_TYPE_OTHER,"messaging.read", NULL, NULL, 0);
1394 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1398 result = perm_add_api_feature(APP_TYPE_OSP,"blahblah", NULL, NULL, 0);
1399 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1401 result = perm_add_api_feature(APP_TYPE_WGT,"blahblah", NULL, NULL, 0);
1402 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1404 result = perm_add_api_feature(APP_TYPE_OTHER,"blahblah", NULL, NULL, 0);
1405 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1408 // smack files existence
1409 result = file_exists(OSP_BLAHBLAH);
1410 RUNNER_ASSERT(result == -1);
1412 result = file_exists(WRT_BLAHBLAH);
1413 RUNNER_ASSERT(result == -1);
1415 result = file_exists(OTHER_BLAHBLAH);
1416 RUNNER_ASSERT(result == -1);
1420 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, { NULL }, NULL, 0);
1421 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1422 result = file_exists(OSP_BLAHBLAH);
1423 RUNNER_ASSERT(result == -1);
1425 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "", NULL }, NULL, 0);
1426 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1427 result = file_exists(OSP_BLAHBLAH);
1428 RUNNER_ASSERT(result == 0);
1429 remove_smack_files();
1431 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
1432 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1433 result = file_exists(OSP_BLAHBLAH);
1434 RUNNER_ASSERT(result == 0);
1435 remove_smack_files();
1439 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed", NULL }, NULL, 0);
1440 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1441 result = file_exists(OSP_BLAHBLAH);
1442 RUNNER_ASSERT(result == -1);
1444 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed malformed", NULL }, NULL, 0);
1445 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1446 result = file_exists(OSP_BLAHBLAH);
1447 RUNNER_ASSERT(result == -1);
1449 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "-malformed malformed rwxat", NULL }, NULL, 0);
1450 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1451 result = file_exists(OSP_BLAHBLAH);
1452 RUNNER_ASSERT(result == -1);
1454 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "~/\"\\ malformed rwxat", NULL }, NULL, 0);
1455 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1456 result = file_exists(OSP_BLAHBLAH);
1457 RUNNER_ASSERT(result == -1);
1459 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "subject object rwxat something else", NULL }, NULL, 0);
1460 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1461 result = file_exists(OSP_BLAHBLAH);
1462 RUNNER_ASSERT(result == -1);
1466 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "malformed malformed maaaaaalformed", NULL }, NULL, 0);
1467 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1468 osp_blahblah_check(__LINE__, { "malformed malformed r--a-l ------" });
1469 remove_smack_files();
1471 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) { "subject object foo", NULL }, NULL, 0);
1472 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1473 osp_blahblah_check(__LINE__, { "subject object ------ ------" });
1474 remove_smack_files();
1476 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1477 "subject object\t rwxatl",
1479 "subject2\tobject2 ltxarw",
1483 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1484 osp_blahblah_check(__LINE__, { "subject object rwxatl ------", "subject2 object2 rwxatl ------"});
1485 remove_smack_files();
1487 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1488 "Sub::jE,ct object a-RwXL",
1491 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1492 osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa-l ------"});
1493 remove_smack_files();
1495 // TODO For now identical/complementary rules are not merged.
1496 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {
1497 "subject object rwxatl",
1499 "subject object ltxarw",
1503 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1504 osp_blahblah_check(__LINE__, { "subject object rwxatl ------", "subject object rwxatl ------"});
1505 remove_smack_files();
1509 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},0);
1510 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1511 osp_blahblah_check(__LINE__, { "a a ---a-- ------"});
1512 result = file_exists(OSP_BLAHBLAH_DAC);
1513 RUNNER_ASSERT(result == -1);
1514 remove_smack_files();
1518 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},3);
1519 printf("%d \n", result);
1520 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1521 osp_blahblah_check(__LINE__, { "a a ---a-- ------"});
1522 osp_blahblah_dac_check(__LINE__, {0,1,2});
1523 remove_smack_files();
1525 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {0,1,2},1);
1526 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1527 osp_blahblah_check(__LINE__, { "a a ---a-- ------"});
1528 osp_blahblah_dac_check(__LINE__, {0});
1529 remove_smack_files();
1531 result = perm_add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE, (const char*[]) {"a a a",NULL},(const gid_t[]) {1,1,1},3);
1532 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1533 osp_blahblah_check(__LINE__, { "a a ---a-- ------"});
1534 osp_blahblah_dac_check(__LINE__, {1,1,1});
1535 remove_smack_files();
1539 * Check perm_app_install function
1541 RUNNER_TEST(privilege_control01_app_install)
1546 unlink(SMACK_RULES_DIR APP_ID);
1548 perm_app_uninstall(APP_ID);
1550 result = perm_app_install(APP_ID);
1551 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1553 // checking if file really exists
1554 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1555 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
1558 // try install second time app with the same ID - it should pass.
1559 result = perm_app_install(APP_ID);
1560 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1564 * Check perm_app_install function
1566 RUNNER_TEST(privilege_control07_app_uninstall)
1571 result = perm_app_uninstall(APP_ID);
1572 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
1574 // checking if file really exists
1575 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1576 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after perm_app_uninstall");
1580 void checkOnlyAvAccess(const char *av_id, const char *app_id, const char *comment)
1583 result = smack_have_access(av_id, app_id, "rwx");
1584 RUNNER_ASSERT_MSG(result == 1,
1585 "Error while checking " << av_id << " rwx access to "
1586 << app_id << " " << comment << " Result: " << result);
1587 result = smack_have_access(av_id, app_id, "a");
1588 RUNNER_ASSERT_MSG(result == 0,
1589 "Error while checking " << av_id << " a access to "
1590 << app_id << " " << comment << " Result: " << result);
1591 result = smack_have_access(av_id, app_id, "t");
1592 RUNNER_ASSERT_MSG(result == 0,
1593 "Error while checking " << av_id << " t access to "
1594 << app_id << " " << comment << " Result: " << result);
1598 * Check app_register_av function
1599 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
1601 RUNNER_TEST(privilege_control10_app_register_av)
1606 smack_revoke_subject(APP_TEST_AV_1);
1607 smack_revoke_subject(APP_TEST_AV_2);
1609 cleaning_smack_app_files();
1610 cleaning_smack_database_files();
1612 // Adding two apps before antivir
1613 result = perm_app_install(APP_TEST_APP_1);
1614 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1616 result = perm_app_install(APP_TEST_APP_2);
1617 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1620 result = app_register_av(APP_TEST_AV_1);
1621 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
1623 // Checking added apps accesses
1624 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
1625 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
1628 result = perm_app_install(APP_TEST_APP_3);
1629 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
1631 // Checking app accesses
1632 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "perm_app_install(APP_TEST_APP_3)");
1633 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "perm_app_install(APP_TEST_APP_3)");
1634 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "perm_app_install(APP_TEST_APP_3)");
1636 // Adding second antivir
1637 result = app_register_av(APP_TEST_AV_2);
1638 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result << ". Errno: " << strerror(errno));
1640 // Checking app accesses
1641 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1642 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1643 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1644 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1645 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1646 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1649 smack_revoke_subject(APP_TEST_AV_1);
1650 smack_revoke_subject(APP_TEST_AV_2);
1652 cleaning_smack_app_files();
1653 cleaning_smack_database_files();
1657 * Grant SMACK permissions based on permissions list.
1659 RUNNER_TEST(privilege_control11_app_enable_permissions)
1662 int smack_file_length;
1666 * Test - Enabling all permissions with persistant mode enabled
1669 result = perm_app_revoke_permissions(APP_ID);
1670 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1671 "Error revoking app permissions. Result: " << result);
1673 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1674 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1675 " Error enabling app permissions. Result: " << result);
1677 // Check if the accesses are realy applied..
1678 result = test_have_all_accesses(rules2);
1679 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1682 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1683 RUNNER_ASSERT_MSG(pFile != NULL,
1684 "SMACK file NOT created!. Errno: " << errno);
1687 fseek(pFile, 0L, SEEK_END);
1688 smack_file_length = ftell(pFile);
1689 RUNNER_ASSERT_MSG(smack_file_length > 0,
1690 "SMACK file empty with persistant mode 1. Errno: " << errno);
1696 result = perm_app_revoke_permissions(APP_ID);
1697 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1698 "Error revoking app permissions. Result: " << result);
1701 * Test - Enabling all permissions with persistant mode disabled
1704 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
1705 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1706 " Error enabling app permissions. Result: " << result);
1708 // Check if the accesses are realy applied..
1709 result = test_have_all_accesses(rules2);
1710 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1713 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1714 RUNNER_ASSERT_MSG(pFile != NULL,
1715 "SMACK file NOT created!. Errno: " << errno);
1718 fseek(pFile, 0L, SEEK_END);
1719 smack_file_length = ftell(pFile);
1720 RUNNER_ASSERT_MSG(smack_file_length == 0,
1721 "SMACK file not empty with persistant mode 0. Errno: " << errno);
1727 result = perm_app_revoke_permissions(APP_ID);
1728 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1729 "Error revoking app permissions. Result: " << result);
1732 * Test - Enabling all permissions in two complementary files
1735 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
1736 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1737 " Error enabling app permissions. Result: " << result);
1739 // Check if the accesses are realy applied..
1740 result = test_have_all_accesses(rules2);
1741 RUNNER_ASSERT_MSG(result == 1, "Permissions not added.");
1744 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1745 RUNNER_ASSERT_MSG(pFile != NULL,
1746 "SMACK file NOT created!. Errno: " << errno);
1749 fseek(pFile, 0L, SEEK_END);
1750 smack_file_length = ftell(pFile);
1751 RUNNER_ASSERT_MSG(smack_file_length > 0,
1752 "SMACK file empty with persistant mode 1. Errno: " << errno);
1758 result = perm_app_revoke_permissions(APP_ID);
1759 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1760 "Error revoking app permissions. Result: " << result);
1763 * Test - Enabling some permissions and then enabling complementary permissions
1766 // Enable permission for rules 2 no r
1767 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1768 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1769 " Error enabling app permissions without r. Result: " << result);
1771 // Check if the accesses are realy applied..
1772 result = test_have_all_accesses(rules2_no_r);
1773 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
1776 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1777 RUNNER_ASSERT_MSG(pFile != NULL,
1778 "SMACK file NOT created!. Errno: " << errno);
1781 fseek(pFile, 0L, SEEK_END);
1782 smack_file_length = ftell(pFile);
1783 RUNNER_ASSERT_MSG(smack_file_length > 0,
1784 "SMACK file empty with persistant mode 1. Errno: " << errno);
1789 // Enable permission for rules 2
1790 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1791 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1792 " Error enabling app all permissions. Result: " << result);
1794 // Check if the accesses are realy applied..
1795 result = test_have_all_accesses(rules2);
1796 RUNNER_ASSERT_MSG(result == 1, "Permissions all not added.");
1799 result = perm_app_revoke_permissions(APP_ID);
1800 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1801 "Error revoking app permissions. Result: " << result);
1804 * Test - Enabling some permissions and then enabling all permissions
1807 // Enable permission for rules 2 no r
1808 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1809 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1810 " Error enabling app permissions without r. Result: " << result);
1812 // Check if the accesses are realy applied..
1813 result = test_have_all_accesses(rules2_no_r);
1814 RUNNER_ASSERT_MSG(result == 1, "Permissions without r not added.");
1817 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1818 RUNNER_ASSERT_MSG(pFile != NULL,
1819 "SMACK file NOT created!. Errno: " << errno);
1822 fseek(pFile, 0L, SEEK_END);
1823 smack_file_length = ftell(pFile);
1824 RUNNER_ASSERT_MSG(smack_file_length > 0,
1825 "SMACK file empty with persistant mode 1. Errno: " << errno);
1830 // Enable permission for rules 2
1831 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
1832 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1833 " Error enabling app permissions with only r. Result: " << result);
1835 // Check if the accesses are realy applied..
1836 result = test_have_all_accesses(rules2);
1837 RUNNER_ASSERT_MSG(result == 1, "Permissions with only r not added.");
1840 result = perm_app_revoke_permissions(APP_ID);
1841 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1842 "Error revoking app permissions. Result: " << result);
1846 * Until perm_app_disable_permissions is not fixed this test should remain
1850 * Remove previously granted SMACK permissions based on permissions list.
1852 /*RUNNER_TEST(privilege_control12_app_disable_permissions)
1856 * Test - disable all granted permissions.
1860 // Prepare permissions that we want to disable
1861 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1862 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1863 " Error enabling app permissions. Result: " << result);
1865 // Disable permissions
1866 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1867 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1868 "Error disabling app permissions. Result: " << result);
1870 // Are all the permissions disabled?
1871 result = test_have_any_accesses(rules2);
1872 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1875 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1878 // Prepare permissions that will not be disabled
1879 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
1880 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1881 " Error adding app first permissions. Result: " << result);
1883 // Prepare permissions that we want to disable
1884 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1885 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1886 " Error adding app second permissions. Result: " << result);
1888 // Disable second permissions
1889 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1890 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1891 "Error disabling app second permissions. Result: " << result);
1893 // Are all second permissions disabled?
1894 result = test_have_any_accesses(rules2);
1895 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1897 // Are all first permissions not disabled?
1898 result = test_have_all_accesses(rules);
1899 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1901 // Disable first permissions
1902 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
1903 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1904 "Error disabling app first permissions. Result: " << result);
1906 // Are all second permissions disabled?
1907 result = test_have_any_accesses(rules);
1908 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1911 * Test - disable only no r granted permissions.
1914 // Prepare permissions
1915 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1916 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1917 " Error adding app permissions. Result: " << result);
1919 // Disable same permissions without r
1920 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
1921 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1922 "Error disabling app no r permissions. Result: " << result);
1924 // Is any r permissions disabled?
1925 result = test_have_all_accesses(rules2_r);
1926 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1927 // Are all no r permissions disabled?
1928 result = test_have_any_accesses(rules2_no_r);
1929 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1931 // Prepare permissions
1932 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1933 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1934 " Error adding app no r permissions. Result: " << result);
1936 // Disable all permissions
1937 result = perm_app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1938 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1939 "Error disabling app permissions. Result: " << result);
1943 * Reset SMACK permissions for an application by revoking all previously
1944 * granted rules and enabling them again from a rules file from disk.
1947 RUNNER_TEST(privilege_control13_app_reset_permissions)
1952 * Test - doing reset and checking if rules exist again.
1955 // Prepare permissions to reset
1956 result = perm_app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1957 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1958 " Error adding app permissions. Result: " << result);
1960 // Reset permissions
1961 result = perm_app_reset_permissions(APP_ID);
1962 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1963 "Error reseting app permissions. Result: " << result);
1965 // Are all second permissions not disabled?
1966 result = test_have_all_accesses(rules2);
1967 RUNNER_ASSERT_MSG(result == 1, "Not all permissions added.");
1969 // Disable permissions
1970 result = perm_app_revoke_permissions(APP_ID);
1971 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1972 "Error disabling app permissions. Result: " << result);
1976 * Make two applications "friends", by giving them both full permissions on
1979 RUNNER_TEST(privilege_control14_app_add_friend)
1984 * Test - making friends with no permissions on each other
1987 result = perm_app_revoke_permissions(APP_FRIEND_1);
1988 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1989 "Error revoking app permissions. Result: " << result);
1990 result = perm_app_revoke_permissions(APP_FRIEND_2);
1991 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1992 "Error revoking app permissions. Result: " << result);
1994 perm_app_uninstall(APP_FRIEND_1);
1995 perm_app_uninstall(APP_FRIEND_2);
1997 // Installing friends to be
1998 result = perm_app_install(APP_FRIEND_1);
1999 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2000 " Error installing first app. Result: " << result);
2001 result = perm_app_install(APP_FRIEND_2);
2002 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2003 " Error installing second app. Result: " << result);
2006 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2007 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2008 " Error making friends. Errno: " << result);
2010 // Checking if friends were made
2011 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
2012 RUNNER_ASSERT_MSG(result == 1,
2013 " Error first one sided friednship failed. Result: " << result);
2014 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
2015 RUNNER_ASSERT_MSG(result == 1,
2016 " Error second one sided friednship failed. Result: " << result);
2019 result = perm_app_revoke_permissions(APP_FRIEND_1);
2020 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2021 "Error revoking app permissions. Result: " << result);
2022 result = perm_app_revoke_permissions(APP_FRIEND_2);
2023 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2024 "Error revoking app permissions. Result: " << result);
2026 perm_app_uninstall(APP_FRIEND_1);
2027 perm_app_uninstall(APP_FRIEND_2);
2030 * Test - making friends with nonexisting friend
2033 // Installing one friend
2034 result = perm_app_install(APP_FRIEND_1);
2035 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2036 " Error installing first app. Errno: " << result);
2038 // Adding imaginairy friend as second
2039 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2040 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2041 " Error making friends (first) with imaginairy friend failed. Result: "
2043 // Adding imaginairy friend as first
2044 result = perm_app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
2045 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2046 " Error making friends (second) with imaginairy friend failed. Result: "
2049 result = perm_app_revoke_permissions(APP_FRIEND_1);
2050 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2051 "Error revoking app permissions. Result: " << result);
2052 result = perm_app_revoke_permissions(APP_FRIEND_2);
2053 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2054 "Error revoking app permissions. Result: " << result);
2056 perm_app_uninstall(APP_FRIEND_1);
2057 perm_app_uninstall(APP_FRIEND_2);
2060 * Test - making friends with some permissions already added
2065 struct smack_accesses *rulesFriend = NULL;
2067 std::vector<std::string> accessesFriend =
2068 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
2070 // Installing friends to be
2071 result = perm_app_install(APP_FRIEND_1);
2072 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2073 " Error installing first app. Result: " << result);
2074 result = perm_app_install(APP_FRIEND_2);
2075 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2076 " Error installing second app. Result: " << result);
2078 for (i = 0; i < accessesFriend.size(); ++i)
2080 for (j = 0; j < accessesFriend.size(); ++j)
2082 // Adding rules before making friends
2083 result = smack_accesses_new(&rulesFriend);
2084 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2085 "Error in smack_accesses_new. Result: " << result);
2087 result = smack_accesses_add(rulesFriend,
2088 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
2089 RUNNER_ASSERT_MSG(result == 0,
2090 "Unable to add modify rulesFirend (first). Result: " << result);
2091 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
2092 APP_FRIEND_1, accessesFriend[j].c_str());
2093 RUNNER_ASSERT_MSG(result == 0,
2094 "Unable to add modify rulesFirend (second). Result: " << result);
2096 result = smack_accesses_apply(rulesFriend);
2097 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2098 "Error in smack_accesses_apply. Result: " << result);
2101 result = perm_app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
2102 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2103 " Error making friends. Result: " << result);
2105 // Checking if friends were made
2106 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
2107 RUNNER_ASSERT_MSG(result == 1,
2108 " Error first one sided friednship failed. Result: " << result);
2109 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
2110 RUNNER_ASSERT_MSG(result == 1,
2111 " Error second one sided friednship failed. Result: " << result);
2113 // Deleting all rules between friends
2114 smack_accesses_add_modify(rulesFriend,
2115 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
2116 smack_accesses_add_modify(rulesFriend,
2117 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
2119 result = smack_accesses_apply(rulesFriend);
2121 smack_accesses_free(rulesFriend);
2127 result = perm_app_revoke_permissions(APP_FRIEND_1);
2128 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2129 "Error revoking app permissions. Result: " << result);
2130 result = perm_app_revoke_permissions(APP_FRIEND_2);
2131 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
2132 "Error revoking app permissions. Result: " << result);
2134 perm_app_uninstall(APP_FRIEND_1);
2135 perm_app_uninstall(APP_FRIEND_2);
2138 static void smack_set_random_label_based_on_pid_on_self(void)
2141 std::stringstream ss;
2143 ss << "s-" << getpid() << "-" << getppid();
2144 result = smack_set_label_for_self(ss.str().c_str());
2145 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
2146 << ss.str().c_str() << ") failed");
2149 static void smack_unix_sock_server(int sock)
2155 fd = accept(sock, NULL, NULL);
2159 result = smack_new_label_from_self(&smack_label);
2164 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
2166 result = write(fd, smack_label, strlen(smack_label));
2167 if (result != (int)strlen(smack_label)) {
2171 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
2177 RUNNER_TEST(privilege_control15_app_id_from_socket)
2180 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
2184 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2186 smack_set_random_label_based_on_pid_on_self();
2188 if (!pid) { /* child process, server */
2191 /* Set the process label before creating a socket */
2192 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2193 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
2195 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
2198 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
2200 result = listen(sock, 1);
2203 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
2205 smack_unix_sock_server(sock);
2207 /* Change the process label with listening socket */
2208 smack_unix_sock_server(sock);
2211 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
2212 /* Now running two concurrent servers.
2213 Test if socket label was unaffected by fork() */
2214 smack_unix_sock_server(sock);
2215 /* Let's give the two servers different labels */
2216 smack_unix_sock_server(sock);
2218 waitpid(pid, NULL, 0);
2220 } else { /* parent process, client */
2221 sleep(1); /* Give server some time to setup listening socket */
2223 for (i = 0; i < 4; ++i) {
2226 char smack_label1[SMACK_LABEL_LEN + 1];
2229 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2230 RUNNER_ASSERT_MSG(sock >= 0,
2231 "socket failed: " << strerror(errno));
2232 result = connect(sock,
2233 (struct sockaddr*) &sockaddr, sizeof(struct sockaddr_un));
2236 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
2240 result = read(sock, smack_label1, SMACK_LABEL_LEN);
2244 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
2246 smack_label1[result] = '\0';
2247 smack_label2 = perm_app_id_from_socket(sock);
2248 if (smack_label2 == NULL) {
2250 RUNNER_ASSERT_MSG(0, "perm_app_id_from_socket failed");
2252 result = strcmp(smack_label1, smack_label2);
2255 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
2256 << "' != '" << smack_label2 << "-" << random() << "'");
2260 waitpid(pid, NULL, 0);
2264 RUNNER_TEST(privilege_control16_app_setup_path){
2265 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
2266 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
2267 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
2268 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
2269 const char *label1 = "qwert123456za";
2270 const char *label2 = "trewq654123az";
2272 std::unique_ptr<char, std::function<void(void*)> > labelPtr(NULL,free);
2277 int fd = creat(path3, S_IRWXU);
2280 fd = creat(path4, S_IRWXU);
2286 RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
2287 RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
2288 labelPtr.reset(label);
2290 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
2292 RUNNER_ASSERT(PC_OPERATION_SUCCESS == perm_app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
2293 RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
2294 labelPtr.reset(label);
2296 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
2298 RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
2299 labelPtr.reset(label);
2301 RUNNER_ASSERT(labelPtr.get() == NULL);
2304 RUNNER_TEST(privilege_control17_appsettings_privilege)
2306 #define APP_1 "app_1"
2307 #define APP_1_DIR "/tmp/app_1"
2309 #define APP_2 "app_2"
2310 #define APP_2_DIR "/tmp/app_2"
2312 #define APP_TEST "app_test"
2314 #define PRIV_APPSETTING (const char*[]) {"http://tizen.org/privilege/appsetting", NULL}
2317 char *app1_dir_label;
2318 char *app2_dir_label;
2322 (void)perm_app_uninstall(APP_TEST);
2323 (void)perm_app_uninstall(APP_1);
2324 (void)perm_app_uninstall(APP_2);
2326 //install some app 1
2327 ret = perm_app_install(APP_1);
2328 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install." << ret);
2330 mkdir(APP_1_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
2332 //register settings folder for app 1
2333 ret = perm_app_setup_path(APP_1, APP_1_DIR, APP_PATH_SETTINGS_RW );
2334 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
2336 //install "app_test" and give it appsettings privilege
2337 ret = perm_app_install(APP_TEST);
2338 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
2341 ret = perm_app_enable_permissions(APP_TEST, APP_TYPE_OSP, PRIV_APPSETTING, true);
2343 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,
2344 " Error enabling app permissions. Result: " << ret);
2346 //check if "app_test" has an RX access to the app "app_1"
2347 ret = smack_have_access(APP_TEST, APP_1, "rx");
2348 RUNNER_ASSERT_MSG(ret,"access denies");
2351 //check if "app_test" has an RWX access to a folder registered by "app_1"
2352 ret = smack_getlabel(APP_1_DIR, &app1_dir_label, SMACK_LABEL_ACCESS );
2353 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2354 ret = smack_have_access(APP_TEST, app1_dir_label, "rwx");
2355 RUNNER_ASSERT_MSG(ret,"access denies");
2358 //intstall another app: "app_2"
2359 ret = perm_app_install(APP_2);
2360 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_install.");
2362 mkdir(APP_2_DIR, S_IRWXU | S_IRGRP | S_IXGRP);
2363 //register settings folder for that "app_2"
2364 ret = perm_app_setup_path(APP_2, APP_2_DIR, APP_PATH_SETTINGS_RW );
2365 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS, "Error in perm_app_setup_path: " << ret);
2367 //check if "app_test" has an RX access to the app "app_2"
2368 ret = smack_have_access(APP_TEST, APP_2, "rx");
2369 RUNNER_ASSERT_MSG(ret,"access denies");
2371 //check if "app_test" has an RWX access to a folder registered by "app_2"
2372 ret = smack_getlabel(APP_2_DIR, &app2_dir_label, SMACK_LABEL_ACCESS );
2373 RUNNER_ASSERT_MSG(ret == PC_OPERATION_SUCCESS,"smack_getlabel failed");
2374 ret = smack_have_access(APP_TEST, app2_dir_label, "rwx");
2375 RUNNER_ASSERT_MSG(ret,"access denies");
2377 free (app1_dir_label);
2378 free (app2_dir_label);
2382 (void)perm_app_uninstall(APP_TEST);
2383 (void)perm_app_uninstall(APP_1);
2384 (void)perm_app_uninstall(APP_2);
2387 RUNNER_TEST(privilege_control18_app_setup_path_public)
2391 cleaning_smack_database_files();
2394 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2395 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2397 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2398 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2400 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_PUBLIC_RO);
2401 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
2403 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_public_dir, FTW_MAX_FDS, FTW_PHYS);
2404 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2406 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2407 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2409 cleaning_smack_database_files();
2412 RUNNER_TEST(privilege_control19_app_setup_path_settings)
2416 cleaning_smack_database_files();
2419 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
2420 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
2422 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2423 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
2425 result = perm_app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_SETTINGS_RW);
2426 RUNNER_ASSERT_MSG(result == 0, "perm_app_setup_path() failed");
2428 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_settings_dir, FTW_MAX_FDS, FTW_PHYS);
2429 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
2431 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
2432 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
2434 cleaning_smack_database_files();
2437 RUNNER_TEST(privilege_control20_early_rules)
2443 char *single_line_format = NULL;
2446 char subject[SMACK_LABEL_LEN + 1];
2447 char object[SMACK_LABEL_LEN + 1];
2448 char rule_add[SMACK_ACC_LEN + 1];
2449 char rule_remove[SMACK_ACC_LEN + 1];
2451 subject[SMACK_LABEL_LEN] = '\0';
2452 object[SMACK_LABEL_LEN] = '\0';
2453 rule_add[SMACK_ACC_LEN] = '\0';
2454 rule_remove[SMACK_ACC_LEN] = '\0';
2456 unlink(SMACK_RULES_DIR APP_ID);
2458 perm_app_uninstall(APP_ID);
2460 result = perm_app_install(APP_ID);
2461 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2462 result = perm_app_install(APP_TEST_APP_1);
2463 RUNNER_ASSERT_MSG(result == 0, "perm_app_install returned " << result << ". Errno: " << strerror(errno));
2465 // checking if file really exists
2466 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
2468 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << SMACK_RULES_DIR << APP_ID << " : " << fd << ". Errno: " << strerror(errno));
2471 result = perm_app_enable_permissions(APP_ID, APP_TYPE_WGT, (const char**) &perm, 1);
2472 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
2473 result = perm_app_enable_permissions(APP_TEST_APP_1, APP_TYPE_WGT, (const char**) &perm, 1);
2474 RUNNER_ASSERT_MSG(result == 0, "app_enable_permission failed: " << result);
2476 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2477 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2479 result = asprintf(&single_line_format, "%%%ds %%%ds %%%ds %%%ds\\n", SMACK_LABEL_LEN, SMACK_LABEL_LEN, SMACK_ACC_LEN, SMACK_ACC_LEN);
2481 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2482 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2483 pass_1 = 1; // Found rule for APP_ID
2486 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2487 pass_2 = 1; // Found rule for APP_TEST_APP_1
2494 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " not found");
2495 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
2497 // Checking if "early rule" for APP_ID was really removed
2498 // We also should make sure that "early rules" for other apps wasn't removed
2499 result = perm_app_uninstall(APP_ID);
2500 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
2504 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2505 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2507 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2508 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2509 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
2512 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2513 pass_2 = 1; // Found rule for APP_TEST_APP_1
2520 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
2521 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " not found");
2523 // Removing and checking "early rule" for APP_TEST_APP_1
2524 result = perm_app_uninstall(APP_TEST_APP_1);
2525 RUNNER_ASSERT_MSG(result == 0, "perm_app_uninstall returned " << result << ". Errno: " << strerror(errno));
2529 file = fopen(SMACK_STARTUP_RULES_FILE, "r");
2530 RUNNER_ASSERT_MSG(file != NULL, "File open failed: " << SMACK_STARTUP_RULES_FILE << " : " << file << ". Errno: " << strerror(errno));
2532 while(fscanf(file, single_line_format, subject, object, rule_add, rule_remove) == 4) {
2533 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_ID, SMACK_LABEL_LEN) == 0) {
2534 pass_1 = 0; // Found rule for APP_ID - it should NOT be here
2537 if(strncmp(subject, EARLY_RULE_SUBJECT, SMACK_LABEL_LEN) == 0 && strncmp(object, APP_TEST_APP_1, SMACK_LABEL_LEN) == 0) {
2538 pass_2 = 0; // Found rule for APP_TEST_APP_1 - it should NOT be here
2542 free(single_line_format);
2545 RUNNER_ASSERT_MSG(pass_1 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_ID << " " << EARLY_RULE_RIGHTS << " found");
2546 RUNNER_ASSERT_MSG(pass_2 == 1, "Rule " << EARLY_RULE_SUBJECT << " " << APP_TEST_APP_1 << " " << EARLY_RULE_RIGHTS << " found");
projects / platform / core / test / security-tests.git / blob