2 * Copyright (c) 2012 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
18 * @file test_cases.cpp
19 * @author Jan Olszak (j.olszak@samsung.com)
20 * @author Rafal Krypa (r.krypa@samsung.com)
22 * @brief libprivilege-control test runer
33 #include <dpl/test/test_runner.h>
34 #include <dpl/test/test_runner_child.h>
35 #include <dpl/log/log.h>
36 #include <sys/types.h>
39 #include <sys/xattr.h>
40 #include <sys/smack.h>
41 #include <sys/types.h>
42 #include <sys/socket.h>
45 #include <privilege-control.h>
49 #define SMACK_RULES_DIR "/opt/etc/smack-app/accesses.d/"
50 #define SMACK_LOAD2 "/smack/load2"
51 #define TEST_APP_DIR "/etc/smack/test_privilege_control_DIR/app_dir"
52 #define TEST_NON_APP_DIR "/etc/smack/test_privilege_control_DIR/non_app_dir"
53 #define APPID_DIR "test_APP_ID_dir"
54 #define APPID_SHARED_DIR "test_APP_ID_shared_dir"
55 #define CANARY_LABEL "tiny_yellow_canary"
57 #define APP_ID "test_APP"
58 #define APP_SET_PRIV_PATH "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP"
59 #define APP_SET_PRIV_PATH_REAL "/etc/smack/test_privilege_control_DIR/test_set_app_privilege/test_APP_REAL"
61 #define WGT_APP_ID "QwCqJ0ttyS"
62 #define WGT_PARTNER_APP_ID "7btsV1Y0sX"
63 #define WGT_PLATFORM_APP_ID "G4DE3U2vmW"
64 #define WGT_APP_PATH "/opt/usr/apps/QwCqJ0ttyS/bin/QwCqJ0ttyS.TestMisiuPysiu123"
65 #define WGT_PARTNER_APP_PATH "/opt/usr/apps/7btsV1Y0sX/bin/7btsV1Y0sX.MisiuPysiu123Partner"
66 #define WGT_PLATFORM_APP_PATH "/opt/usr/apps/G4DE3U2vmW/bin/G4DE3U2vmW.MisiuPysiu123Platform"
68 const char *PRIVS[] = { "WRT", "test_privilege_control_rules", NULL };
69 const char *PRIVS2[] = { "test_privilege_control_rules2", NULL };
70 const char *PRIVS2_NO_R[] = { "test_privilege_control_rules2_no_r", NULL };
71 const char *PRIVS2_R[] = { "test_privilege_control_rules2_r", NULL };
72 const char *PRIVS2_R_AND_NO_R[] = { "test_privilege_control_rules2_r", "test_privilege_control_rules2_no_r", NULL };
73 const char *PRIVS_WGT[] = { "test_privilege_control_rules_wgt", NULL };
75 #define LIBPRIVILEGE_APP_GROUP_LIST "/usr/share/privilege-control/app_group_list"
76 #define LIBPRIVILEGE_TEST_DAC_FILE "/usr/share/privilege-control/test_privilege_control_rules.dac"
77 #define LIBPRIVILEGE_TEST_DAC_FILE_WGT "/usr/share/privilege-control/WRT_test_privilege_control_rules_wgt.dac"
79 #define APP_TEST_APP_1 "test-application1"
80 #define APP_TEST_APP_2 "test-application_2"
81 #define APP_TEST_APP_3 "test-app-3"
82 #define APP_TEST_AV_1 "test-antivirus1"
83 #define APP_TEST_AV_2 "test-antivirus_2"
84 #define APP_TEST_AV_3 "test-av-3"
85 #define SMACK_APPS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_apps_id.db"
86 #define SMACK_AVS_LABELS_DATABASE "/opt/dbspace/.privilege_control_all_avs_id.db"
88 #define SOCK_PATH "/tmp/test-smack-socket"
92 #define APP_USER_NAME "app"
93 #define APP_HOME_DIR "/opt/home/app"
95 #define APP_FRIEND_1 "app_friend_1"
96 #define APP_FRIEND_2 "app_friend_2"
98 // How many open file descriptors should ftw() function use?
99 #define FTW_MAX_FDS 16
101 // Rules from test_privilege_control_rules.smack
102 const std::vector< std::vector<std::string> > rules = {
103 { APP_ID, "test_book_1", "r" },
104 { APP_ID, "test_book_2", "w" },
105 { APP_ID, "test_book_3", "x" },
106 { APP_ID, "test_book_4", "rw" },
107 { APP_ID, "test_book_5", "rx" },
108 { APP_ID, "test_book_6", "wx" },
109 { APP_ID, "test_book_7", "rwx" },
110 { "test_subject_1", APP_ID, "r" },
111 { "test_subject_2", APP_ID, "w" },
112 { "test_subject_3", APP_ID, "x" },
113 { "test_subject_4", APP_ID, "rw" },
114 { "test_subject_5", APP_ID, "rx" },
115 { "test_subject_6", APP_ID, "wx" },
116 { "test_subject_7", APP_ID, "rwx" },
117 { APP_ID, APPID_SHARED_DIR, "rwxat"}};
119 // Rules from test_privilege_control_rules2.smack
120 const std::vector< std::vector<std::string> > rules2 = {
121 { APP_ID, "test_book_8", "r" },
122 { APP_ID, "test_book_9", "w" },
123 { APP_ID, "test_book_10", "x" },
124 { APP_ID, "test_book_11", "rw" },
125 { APP_ID, "test_book_12", "rx" },
126 { APP_ID, "test_book_13", "wx" },
127 { APP_ID, "test_book_14", "rwx" },
128 { APP_ID, "test_book_15", "rwxat" },
129 { "test_subject_8", APP_ID, "r" },
130 { "test_subject_9", APP_ID, "w" },
131 { "test_subject_10", APP_ID, "x" },
132 { "test_subject_11", APP_ID, "rw" },
133 { "test_subject_12", APP_ID, "rx" },
134 { "test_subject_13", APP_ID, "wx" },
135 { "test_subject_14", APP_ID, "rwx" },
136 { "test_subject_15", APP_ID, "rwxat" }};
138 // Rules from test_privilege_control_rules_no_r.smack
139 const std::vector< std::vector<std::string> > rules2_no_r = {
140 { APP_ID, "test_book_9", "w" },
141 { APP_ID, "test_book_10", "x" },
142 { APP_ID, "test_book_11", "w" },
143 { APP_ID, "test_book_12", "x" },
144 { APP_ID, "test_book_13", "wx" },
145 { APP_ID, "test_book_14", "wx" },
146 { APP_ID, "test_book_15", "wxat" },
147 { "test_subject_9", APP_ID, "w" },
148 { "test_subject_10", APP_ID, "x" },
149 { "test_subject_11", APP_ID, "w" },
150 { "test_subject_12", APP_ID, "x" },
151 { "test_subject_13", APP_ID, "wx" },
152 { "test_subject_14", APP_ID, "wx" },
153 { "test_subject_15", APP_ID, "wxat" }};
155 // Rules from test_privilege_control_rules.smack
156 // minus test_privilege_control_rules_no_r.smack
157 const std::vector< std::vector<std::string> > rules2_r = {
158 { APP_ID, "test_book_8", "r" },
159 { APP_ID, "test_book_11", "r" },
160 { APP_ID, "test_book_12", "r" },
161 { APP_ID, "test_book_14", "r" },
162 { APP_ID, "test_book_15", "r" },
163 { "test_subject_8", APP_ID, "r" },
164 { "test_subject_11", APP_ID, "r" },
165 { "test_subject_12", APP_ID, "r" },
166 { "test_subject_14", APP_ID, "r" },
167 { "test_subject_15", APP_ID, "r" }};
169 // Rules from test_privilege_control_rules_wgt.smack for wgt
170 const std::vector< std::vector<std::string> > rules_wgt = {
171 { WGT_APP_ID, "test_book_8", "r" },
172 { WGT_APP_ID, "test_book_9", "w" },
173 { WGT_APP_ID, "test_book_10", "x" },
174 { WGT_APP_ID, "test_book_11", "rw" },
175 { WGT_APP_ID, "test_book_12", "rx" },
176 { WGT_APP_ID, "test_book_13", "wx" },
177 { WGT_APP_ID, "test_book_14", "rwx" },
178 { WGT_APP_ID, "test_book_15", "rwxat" },
179 { "test_subject_8", WGT_APP_ID, "r" },
180 { "test_subject_9", WGT_APP_ID, "w" },
181 { "test_subject_10", WGT_APP_ID, "x" },
182 { "test_subject_11", WGT_APP_ID, "rw" },
183 { "test_subject_12", WGT_APP_ID, "rx" },
184 { "test_subject_13", WGT_APP_ID, "wx" },
185 { "test_subject_14", WGT_APP_ID, "rwx" },
186 { "test_subject_15", WGT_APP_ID, "rwxat" }};
188 // Rules from test_privilege_control_rules_wgt.smack for wgt_partner
189 const std::vector< std::vector<std::string> > rules_wgt_partner = {
190 { WGT_PARTNER_APP_ID, "test_book_8", "r" },
191 { WGT_PARTNER_APP_ID, "test_book_9", "w" },
192 { WGT_PARTNER_APP_ID, "test_book_10", "x" },
193 { WGT_PARTNER_APP_ID, "test_book_11", "rw" },
194 { WGT_PARTNER_APP_ID, "test_book_12", "rx" },
195 { WGT_PARTNER_APP_ID, "test_book_13", "wx" },
196 { WGT_PARTNER_APP_ID, "test_book_14", "rwx" },
197 { WGT_PARTNER_APP_ID, "test_book_15", "rwxat" },
198 { "test_subject_8", WGT_PARTNER_APP_ID, "r" },
199 { "test_subject_9", WGT_PARTNER_APP_ID, "w" },
200 { "test_subject_10", WGT_PARTNER_APP_ID, "x" },
201 { "test_subject_11", WGT_PARTNER_APP_ID, "rw" },
202 { "test_subject_12", WGT_PARTNER_APP_ID, "rx" },
203 { "test_subject_13", WGT_PARTNER_APP_ID, "wx" },
204 { "test_subject_14", WGT_PARTNER_APP_ID, "rwx" },
205 { "test_subject_15", WGT_PARTNER_APP_ID, "rwxat" }};
207 // Rules from test_privilege_control_rules_wgt.smack for wgt_platform
208 const std::vector< std::vector<std::string> > rules_wgt_platform = {
209 { WGT_PLATFORM_APP_ID, "test_book_8", "r" },
210 { WGT_PLATFORM_APP_ID, "test_book_9", "w" },
211 { WGT_PLATFORM_APP_ID, "test_book_10", "x" },
212 { WGT_PLATFORM_APP_ID, "test_book_11", "rw" },
213 { WGT_PLATFORM_APP_ID, "test_book_12", "rx" },
214 { WGT_PLATFORM_APP_ID, "test_book_13", "wx" },
215 { WGT_PLATFORM_APP_ID, "test_book_14", "rwx" },
216 { WGT_PLATFORM_APP_ID, "test_book_15", "rwxat" },
217 { "test_subject_8", WGT_PLATFORM_APP_ID, "r" },
218 { "test_subject_9", WGT_PLATFORM_APP_ID, "w" },
219 { "test_subject_10", WGT_PLATFORM_APP_ID, "x" },
220 { "test_subject_11", WGT_PLATFORM_APP_ID, "rw" },
221 { "test_subject_12", WGT_PLATFORM_APP_ID, "rx" },
222 { "test_subject_13", WGT_PLATFORM_APP_ID, "wx" },
223 { "test_subject_14", WGT_PLATFORM_APP_ID, "rwx" },
224 { "test_subject_15", WGT_PLATFORM_APP_ID, "rwxat" }};
228 typedef std::unique_ptr<smack_accesses,std::function<void(smack_accesses*)>> SmackUniquePtr;
230 const char* OSP_BLAHBLAH = "/usr/share/privilege-control/OSP_feature.blah.blahblah.smack";
231 const char* WRT_BLAHBLAH = "/usr/share/privilege-control/WGT_blahblah.smack";
232 const char* OTHER_BLAHBLAH = "/usr/share/privilege-control/blahblah.smack";
233 const char* OSP_BLAHBLAH_DAC = "/usr/share/privilege-control/OSP_feature.blah.blahblah.dac";
234 const char* WRT_BLAHBLAH_DAC = "/usr/share/privilege-control/WGT_blahblah.dac";
235 const char* OTHER_BLAHBLAH_DAC = "/usr/share/privilege-control/blahblah.dac";
236 const char* BLAHBLAH_FEATURE = "http://feature/blah/blahblah";
239 * Check if every rule is true.
240 * @return 1 if ALL rules in SMACK, 0 if ANY rule isn't
242 int test_have_all_accesses(const std::vector< std::vector<std::string> >& rules){
244 for(uint i =0; i<rules.size();++i ){
245 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
253 * Check if every rule is true.
254 * @return 1 if ANY rule in SMACK, 0 if
256 int test_have_any_accesses(const std::vector< std::vector<std::string> >& rules){
258 for(uint i =0; i<rules.size();++i ){
259 result = smack_have_access(rules[i][0].c_str(),rules[i][1].c_str(),rules[i][2].c_str());
266 int nftw_remove_labels(const char *fpath, const struct stat * /*sb*/,
267 int /*typeflag*/, struct FTW * /*ftwbuf*/)
269 smack_lsetlabel(fpath, NULL, SMACK_LABEL_ACCESS);
270 smack_lsetlabel(fpath, NULL, SMACK_LABEL_EXEC);
271 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
276 int nftw_set_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/,
277 int /*typeflag*/, struct FTW * /*ftwbuf*/)
279 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_ACCESS);
280 smack_lsetlabel(fpath, CANARY_LABEL, SMACK_LABEL_EXEC);
281 smack_lsetlabel(fpath, NULL, SMACK_LABEL_TRANSMUTE);
286 int nftw_check_labels_non_app_dir(const char *fpath, const struct stat * /*sb*/,
287 int /*typeflag*/, struct FTW * /*ftwbuf*/)
293 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
294 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
295 result = strcmp(CANARY_LABEL, label);
296 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is overwritten");
299 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
300 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
301 result = strcmp(CANARY_LABEL, label);
302 RUNNER_ASSERT_MSG(result == 0, "EXEC label on " << fpath << " is overwritten");
305 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
306 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
307 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
312 int nftw_check_labels_app_dir(const char *fpath, const struct stat *sb,
313 int /*typeflag*/, struct FTW * /*ftwbuf*/)
319 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
320 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
321 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
322 result = strcmp(APPID_DIR, label);
323 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
326 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
327 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
328 if (S_ISREG(sb->st_mode) && (sb->st_mode & S_IXUSR)) {
329 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
330 result = strcmp(APPID_DIR, label);
331 RUNNER_ASSERT_MSG(result == 0, "EXEC label on executable file " << fpath << " is incorrect");
332 } else if(S_ISLNK(sb->st_mode)) {
334 char* target = realpath(fpath, NULL);
335 RUNNER_ASSERT_MSG(0 == stat(target, &buf),"Stat failed for " << fpath);
337 if (buf.st_mode != (buf.st_mode | S_IXUSR | S_IFREG)) {
338 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
340 RUNNER_ASSERT_MSG(label != NULL, "EXEC label on " << fpath << " is not set");
341 result = strcmp(APPID_DIR, label);
342 RUNNER_ASSERT_MSG(result == 0, "EXEC label on link to executable file " << fpath << " is incorrect");
345 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
348 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
349 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
350 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
355 int nftw_check_labels_app_shared_dir(const char *fpath, const struct stat *sb,
356 int /*typeflag*/, struct FTW * /*ftwbuf*/)
362 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_ACCESS);
363 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
364 RUNNER_ASSERT_MSG(label != NULL, "ACCESS label on " << fpath << " is not set");
365 result = strcmp(APPID_SHARED_DIR, label);
366 RUNNER_ASSERT_MSG(result == 0, "ACCESS label on " << fpath << " is incorrect");
369 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_EXEC);
370 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
371 RUNNER_ASSERT_MSG(label == NULL, "EXEC label on " << fpath << " is set");
374 result = smack_lgetlabel(fpath, &label, SMACK_LABEL_TRANSMUTE);
375 RUNNER_ASSERT_MSG(result == 0, "Could not get label for the path");
376 if (S_ISDIR(sb->st_mode)) {
377 RUNNER_ASSERT_MSG(label != NULL, "TRANSMUTE label on " << fpath << " is not set");
378 result = strcmp("TRUE", label);
379 RUNNER_ASSERT_MSG(result == 0, "TRANSMUTE label on " << fpath << " is not set");
381 RUNNER_ASSERT_MSG(label == NULL, "TRANSMUTE label on " << fpath << " is set");
386 int file_exists(const char* path)
388 FILE* file = fopen(path, "r");
396 void osp_blahblah_check(int line_no, const std::vector<std::string>& rules)
398 std::ifstream smack_file(OSP_BLAHBLAH);
399 RUNNER_ASSERT_MSG(smack_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH);
401 auto it = rules.begin();
403 while(std::getline(smack_file,line)) {
404 RUNNER_ASSERT_MSG(it != rules.end(), "Line: " << line_no << "Additional line in file: " << line);
405 RUNNER_ASSERT_MSG(*it == line, "Line: " << line_no << " " << *it << "!=" << line);
409 RUNNER_ASSERT_MSG(it == rules.end(), "Line: " << line_no << " Missing line in file: " << *it);
414 void osp_blahblah_dac_check(int line_no, const std::vector<unsigned>& gids)
416 std::ifstream dac_file(OSP_BLAHBLAH_DAC);
417 RUNNER_ASSERT_MSG(dac_file, "Line: " << line_no << " Failed to create " << OSP_BLAHBLAH_DAC);
419 auto it = gids.begin();
421 while(std::getline(dac_file,line)) {
422 std::istringstream is(line);
425 RUNNER_ASSERT_MSG(it != gids.end(), "Line: " << line_no << "Additional line in file: " << gid);
426 RUNNER_ASSERT_MSG(*it == gid, "Line: " << line_no << " " << *it << "!=" << gid);
430 RUNNER_ASSERT_MSG(it == gids.end(), "Line: " << line_no << " Missing line in file: " << *it);
435 void remove_smack_files()
438 unlink(OSP_BLAHBLAH);
439 unlink(WRT_BLAHBLAH);
440 unlink(OTHER_BLAHBLAH);
441 unlink(OSP_BLAHBLAH_DAC);
442 unlink(WRT_BLAHBLAH_DAC);
443 unlink(OTHER_BLAHBLAH_DAC);
446 int cleaning_smack_app_files (void)
448 unlink(SMACK_RULES_DIR APP_TEST_APP_1);
450 unlink(SMACK_RULES_DIR APP_TEST_APP_2);
452 unlink(SMACK_RULES_DIR APP_TEST_APP_3);
454 unlink(SMACK_RULES_DIR APP_TEST_AV_1);
456 unlink(SMACK_RULES_DIR APP_TEST_AV_2);
458 unlink(SMACK_RULES_DIR APP_TEST_AV_3);
463 int cleaning_smack_database_files (void)
468 unlink(SMACK_APPS_LABELS_DATABASE);
469 fd = open(SMACK_APPS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
475 unlink(SMACK_AVS_LABELS_DATABASE);
476 fd = open(SMACK_AVS_LABELS_DATABASE, O_RDWR | O_EXCL | O_CREAT, 0644);
485 RUNNER_TEST_GROUP_INIT(libprivilegecontrol)
488 * Test setting labels for all files and folders in given path.
490 RUNNER_TEST(privilege_control02_app_label_dir)
494 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
495 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
497 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
498 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
500 result = app_setup_path(APPID_DIR, TEST_APP_DIR, APP_PATH_PRIVATE);
501 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
503 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_dir, FTW_MAX_FDS, FTW_PHYS);
504 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for app dir");
506 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
507 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
510 RUNNER_TEST(privilege_control03_app_label_shared_dir)
514 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APP_ID);
515 RUNNER_ASSERT_MSG(result != 0, "app_setup_path(APP_ID, APP_ID) didn't fail");
517 result = nftw(TEST_APP_DIR, &nftw_remove_labels, FTW_MAX_FDS, FTW_PHYS);
518 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_APP_DIR);
520 result = nftw(TEST_NON_APP_DIR, &nftw_set_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
521 RUNNER_ASSERT_MSG(result == 0, "Unable to clean up Smack labels in " << TEST_NON_APP_DIR);
523 result = app_setup_path(APP_ID, TEST_APP_DIR, APP_PATH_GROUP_RW, APPID_SHARED_DIR);
524 RUNNER_ASSERT_MSG(result == 0, "app_setup_path() failed");
526 result = nftw(TEST_APP_DIR, &nftw_check_labels_app_shared_dir, FTW_MAX_FDS, FTW_PHYS);
527 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for shared app dir");
529 result = nftw(TEST_NON_APP_DIR, &nftw_check_labels_non_app_dir, FTW_MAX_FDS, FTW_PHYS);
530 RUNNER_ASSERT_MSG(result == 0, "Unable to check Smack labels for non-app dir");
535 * Add permisions from test_privilege_control_rules template
537 RUNNER_TEST(privilege_control04_add_permissions)
539 int result = app_add_permissions(APP_ID, PRIVS);
540 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
541 " Error adding app permissions. Result: " << result);
543 // Check if the accesses are realy applied..
544 result = test_have_all_accesses(rules);
545 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
548 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
549 RUNNER_ASSERT_MSG(pFile != NULL,
550 "SMACK file NOT created!. Errno: " << errno);
553 fseek(pFile, 0L, SEEK_END);
554 int smack_file_length = ftell(pFile);
555 RUNNER_ASSERT_MSG(smack_file_length>0,
556 "SMACK file empty, but privileges list was not empty.. Errno: " << errno);
564 * Revoke permissions from the list. Should be executed as privileged user.
566 RUNNER_CHILD_TEST(privilege_control06_revoke_permissions)
571 // Revoke permissions
572 result = app_revoke_permissions(APP_ID);
573 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
574 "Error revoking app permissions. Result: " << result);
576 result = app_revoke_permissions(WGT_APP_ID);
577 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
578 "Error revoking app permissions. Result: " << result);
579 result = app_revoke_permissions(WGT_PARTNER_APP_ID);
580 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
581 "Error revoking app permissions. Result: " << result);
582 result = app_revoke_permissions(WGT_PLATFORM_APP_ID);
583 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
584 "Error revoking app permissions. Result: " << result);
586 // Are all the permissions revoked?
587 result = test_have_any_accesses(rules);
588 RUNNER_ASSERT_MSG(result!=1, "Not all permisions revoked.");
589 result = test_have_any_accesses(rules_wgt);
590 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
591 result = test_have_any_accesses(rules_wgt_partner);
592 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
593 result = test_have_any_accesses(rules_wgt_platform);
594 RUNNER_ASSERT_MSG(result==0, "Not all permisions revoked.");
597 FILE *pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
600 RUNNER_ASSERT_MSG(false,
601 "SMACK file exists after revoke!");
604 fd = open(SMACK_RULES_DIR WGT_APP_ID, O_RDONLY);
605 RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions");
606 RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions");
609 fd = open(SMACK_RULES_DIR WGT_PARTNER_APP_ID, O_RDONLY);
610 RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions");
611 RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions");
614 fd = open(SMACK_RULES_DIR WGT_PLATFORM_APP_ID, O_RDONLY);
615 RUNNER_ASSERT_MSG(fd >= 0, "SMACK file deleted after app_revoke_permissions");
616 RUNNER_ASSERT_MSG(lseek(fd, 0, SEEK_END) == 0, "SMACK file not empty after app_revoke_permissions");
621 static void read_gids(std::set<unsigned> &set, const char* file_path)
623 FILE *f = fopen(file_path, "r");
624 RUNNER_ASSERT_MSG(f != NULL, "Unable to open file " << file_path);
626 while (fscanf(f, "%u\n", &gid) == 1) {
631 RUNNER_TEST(privilege_control05_add_shared_dir_readers)
634 #define TEST_OBJ "TEST_OBJECT"
635 #define TEST_OBJ_SOME_OTHER "TEST_OBJA"
636 #define test_string_01 "TEST_raz TEST_OBJECT r-x-- -----"
637 #define test_string_21 "TEST_trzy TEST_OBJA -wx--\n"
638 #define test_string_22 "TEST_trzy TEST_OBJECT r-x-- -----\n"
645 const char *app_labels_wrong[] = {"-TEST_raz", NULL};
646 const char *app_labels[] = {"TEST_raz", "TEST_dwa", "TEST_trzy", NULL};
647 const int READ_BUF_SIZE = 1000;
648 char buf[READ_BUF_SIZE];
650 struct smack_accesses * rules = NULL;
652 //test what happens when the label is not correct SMACK label
653 result = smack_accesses_new(&rules);
654 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
656 result = add_shared_dir_readers(TEST_OBJ,app_labels_wrong);
657 RUNNER_ASSERT_MSG(result == PC_ERR_INVALID_PARAM, "add_shared_dir_readers should fail here");
659 result = smack_have_access(app_labels_wrong[0],TEST_OBJ,"rx");
660 RUNNER_ASSERT_MSG(result != 1, "add_shared_dir_readers should not grant permission here");
662 smack_accesses_free(rules);
664 //ok, now the correct list of apps
665 result = smack_accesses_new(&rules);
666 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in smack_accesses_new. Error: " << result);
668 for (i = 0; i < 3; i++) {
670 (void)app_uninstall(app_labels[i]);
671 result = app_install(app_labels[i]);
672 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in app_install.");
674 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[i]));
675 fd = open(path, O_WRONLY, 0644);
676 RUNNER_ASSERT_MSG(fd != -1, "Error in opening file " << path);
679 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ,"wt");
680 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
683 smack_accesses_free(rules);
684 result = smack_accesses_new(&rules);
685 result = smack_accesses_add(rules,app_labels[i],TEST_OBJ_SOME_OTHER,"wx");
686 RUNNER_ASSERT_MSG(result == 0, "smack_accesses_add failed");
688 result = smack_accesses_apply(rules);
689 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
691 result = smack_accesses_save(rules, fd);
692 RUNNER_ASSERT_MSG(fd != -1, "smack_accesses_apply failed");
699 smack_accesses_free(rules);
701 // THE TEST - accesses
703 result = add_shared_dir_readers(TEST_OBJ,app_labels);
704 RUNNER_ASSERT_MSG(result == 0, "add_shared_dir_readers failed");
706 result = smack_have_access(app_labels[0],TEST_OBJ,"rx");
707 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
709 result = smack_have_access(app_labels[1],TEST_OBJ,"rx");
710 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
712 result = smack_have_access(app_labels[2],TEST_OBJ,"rx");
713 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
715 result = smack_have_access(app_labels[1],TEST_OBJ,"rwxt");
716 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
718 result = smack_have_access(app_labels[2],TEST_OBJ_SOME_OTHER,"wx");
719 RUNNER_ASSERT_MSG(result == 1, "add_shared_dir_readers ERROR");
722 //TEST the operations on empty files
724 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[0]));
725 file = fopen(path, "r");
727 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
729 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
730 result = strcmp(buf, test_string_01);
731 RUNNER_ASSERT_MSG( result!=0, "add_shared_dir_readers ERROR, file not formatted" << path );
736 //TEST the operations on non empty files
737 RUNNER_ASSERT(0 <= asprintf(&path, SMACK_RULES_DIR "/%s", app_labels[2]));
739 file = fopen(path, "r");
740 RUNNER_ASSERT_MSG(file, "fopen failed, errno:" << errno);
742 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
743 result = strcmp(buf, test_string_21);
744 RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
746 RUNNER_ASSERT(NULL != fgets(buf, READ_BUF_SIZE, file));
747 result = strcmp(buf, test_string_22);
748 RUNNER_ASSERT_MSG( result==0, "add_shared_dir_readers ERROR, file not formatted" );
756 * Set APP privileges.
758 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege)
763 smack_lsetlabel(APP_SET_PRIV_PATH_REAL, APP_ID, SMACK_LABEL_EXEC);
764 smack_lsetlabel(APP_SET_PRIV_PATH, APP_ID "_symlink", SMACK_LABEL_EXEC);
767 * TODO This test should also verify set_app_privilege behavior for OSP and
768 * WRT apps. To do that we'll have to install real apps on device as a
772 // Set APP privileges
773 result = set_app_privilege(APP_ID, NULL, APP_SET_PRIV_PATH);
774 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
776 // Check if SMACK label really set
778 result = smack_new_label_from_self(&label);
779 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
780 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
781 result = strcmp(APP_ID, label);
782 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
784 // Check if DAC privileges really set
785 RUNNER_ASSERT_MSG(getuid() == APP_UID, "Wrong UID");
786 RUNNER_ASSERT_MSG(getgid() == APP_GID, "Wrong GID");
788 result = strcmp(getenv("HOME"), APP_HOME_DIR);
789 RUNNER_ASSERT_MSG(result == 0, "Wrong HOME DIR");
791 result = strcmp(getenv("USER"), APP_USER_NAME);
792 RUNNER_ASSERT_MSG(result == 0, "Wrong user USER NAME");
794 std::set<unsigned> groups_check;
795 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
796 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE);
798 int groups_cnt = getgroups(0, NULL);
799 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
800 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
801 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
802 RUNNER_ASSERT(-1 != getgroups(groups_cnt, groups_list));
804 for (int i = 0; i < groups_cnt; ++i) {
805 if (groups_check.erase(groups_list[i]) == 0) {
806 // getgroups() may also return process' main group
807 if (groups_list[i] != getgid())
808 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
811 std::string groups_left;
812 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
813 groups_left.append(std::to_string(*it)).append(" ");
815 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
819 * Set APP privileges. wgt.
821 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt)
825 result = app_enable_permissions(WGT_APP_ID, APP_TYPE_WGT, PRIVS_WGT, 1);
826 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
827 " Error enabling app permissions. Result: " << result);
829 result = test_have_all_accesses(rules_wgt);
830 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
832 result = set_app_privilege(WGT_APP_ID, "wgt", WGT_APP_PATH);
833 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
835 // Check if SMACK label really set
837 result = smack_new_label_from_self(&label);
838 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
839 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
840 result = strcmp(WGT_APP_ID, label);
841 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
843 std::set<unsigned> groups_check;
844 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
845 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
847 int groups_cnt = getgroups(0, NULL);
848 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
849 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
850 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
851 getgroups(groups_cnt, groups_list);
853 for (int i = 0; i < groups_cnt; ++i) {
854 if (groups_check.erase(groups_list[i]) == 0) {
855 // getgroups() may also return process' main group
856 if (groups_list[i] != getgid())
857 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
860 std::string groups_left;
861 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
862 groups_left.append(std::to_string(*it)).append(" ");
864 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
868 * Set APP privileges. wgt_partner.
870 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_partner)
874 result = app_enable_permissions(WGT_PARTNER_APP_ID, APP_TYPE_WGT_PARTNER, PRIVS_WGT, 1);
875 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
876 " Error enabling app permissions. Result: " << result);
878 result = test_have_all_accesses(rules_wgt_partner);
879 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
881 result = set_app_privilege(WGT_PARTNER_APP_ID, "wgt_partner", WGT_PARTNER_APP_PATH);
882 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
884 // Check if SMACK label really set
886 result = smack_new_label_from_self(&label);
887 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
888 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
889 result = strcmp(WGT_PARTNER_APP_ID, label);
890 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
892 std::set<unsigned> groups_check;
893 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
894 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
896 int groups_cnt = getgroups(0, NULL);
897 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
898 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
899 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
900 getgroups(groups_cnt, groups_list);
902 for (int i = 0; i < groups_cnt; ++i) {
903 if (groups_check.erase(groups_list[i]) == 0) {
904 // getgroups() may also return process' main group
905 if (groups_list[i] != getgid())
906 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
909 std::string groups_left;
910 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
911 groups_left.append(std::to_string(*it)).append(" ");
913 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
917 * Set APP privileges. wgt_platform.
919 RUNNER_CHILD_TEST(privilege_control05_set_app_privilege_wgt_platform)
923 result = app_enable_permissions(WGT_PLATFORM_APP_ID, APP_TYPE_WGT_PLATFORM, PRIVS_WGT, 1);
924 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
925 " Error enabling app permissions. Result: " << result);
927 result = test_have_all_accesses(rules_wgt_platform);
928 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
930 result = set_app_privilege(WGT_PLATFORM_APP_ID, "wgt_platform", WGT_PLATFORM_APP_PATH);
931 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS, "Error in set_app_privilege. Error: " << result);
933 // Check if SMACK label really set
935 result = smack_new_label_from_self(&label);
936 RUNNER_ASSERT_MSG(result == 0, "Error getting current process label");
937 RUNNER_ASSERT_MSG(label != NULL, "Process label is not set");
938 result = strcmp(WGT_PLATFORM_APP_ID, label);
939 RUNNER_ASSERT_MSG(result == 0, "Process label " << label << " is incorrect");
941 std::set<unsigned> groups_check;
942 read_gids(groups_check, LIBPRIVILEGE_APP_GROUP_LIST);
943 read_gids(groups_check, LIBPRIVILEGE_TEST_DAC_FILE_WGT);
945 int groups_cnt = getgroups(0, NULL);
946 RUNNER_ASSERT_MSG(groups_cnt > 0, "Wrong number of supplementary groupsCnt");
947 gid_t *groups_list = (gid_t *) calloc(groups_cnt, sizeof(gid_t));
948 RUNNER_ASSERT_MSG(groups_list != NULL, "Memory allocation failed");
949 getgroups(groups_cnt, groups_list);
951 for (int i = 0; i < groups_cnt; ++i) {
952 if (groups_check.erase(groups_list[i]) == 0) {
953 // getgroups() may also return process' main group
954 if (groups_list[i] != getgid())
955 RUNNER_ASSERT_MSG(false, "Application belongs to unknown group (GID=" << groups_list[i] << ")");
958 std::string groups_left;
959 for (std::set<unsigned>::iterator it = groups_check.begin(); it != groups_check.end(); it++) {
960 groups_left.append(std::to_string(*it)).append(" ");
962 RUNNER_ASSERT_MSG(groups_check.empty(), "Application doesn't belong to some required groups: " << groups_left);
965 RUNNER_TEST(privilege_control08_app_give_access)
967 const char *subject = "lkjq345v34sfa";
968 const char *object = "lk9290f92lkjz";
969 smack_accesses *tmp = NULL;
971 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
973 SmackUniquePtr smack(tmp, smack_accesses_free);
975 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "r--a-"));
976 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
978 app_give_access(subject, object, "wt");
980 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwat"));
981 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
983 app_revoke_access(subject, object);
985 RUNNER_ASSERT(1 == smack_have_access(subject, object, "ra"));
986 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
987 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
988 RUNNER_ASSERT(0 == smack_have_access(subject, object, "t"));
990 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-"));
991 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
994 RUNNER_TEST(privilege_control09_app_give_access)
996 const char *subject = "ljk132flkjv";
997 const char *object = "jjsiqsc32vs";
998 smack_accesses *tmp = NULL;
1000 RUNNER_ASSERT(0 == smack_accesses_new(&tmp));
1002 SmackUniquePtr smack(tmp, smack_accesses_free);
1004 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "---t-"));
1005 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1007 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rw"));
1008 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_give_access(subject, object, "rwx"));
1010 RUNNER_ASSERT(1 == smack_have_access(subject, object, "rwxt"));
1011 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
1013 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_revoke_access(subject, object));
1015 RUNNER_ASSERT(1 == smack_have_access(subject, object, "t"));
1016 RUNNER_ASSERT(0 == smack_have_access(subject, object, "r"));
1017 RUNNER_ASSERT(0 == smack_have_access(subject, object, "w"));
1018 RUNNER_ASSERT(0 == smack_have_access(subject, object, "x"));
1019 RUNNER_ASSERT(0 == smack_have_access(subject, object, "a"));
1021 RUNNER_ASSERT(0 == smack_accesses_add(smack.get(), subject, object, "-----"));
1022 RUNNER_ASSERT(0 == smack_accesses_apply(smack.get()));
1026 * Add new API feature
1028 RUNNER_TEST(privilege_control11_add_api_feature)
1032 remove_smack_files();
1035 // argument validation
1036 result = add_api_feature(APP_TYPE_OSP, NULL, NULL, NULL, 0);
1037 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1039 result = add_api_feature(APP_TYPE_OSP,"" , NULL, NULL, 0);
1040 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1043 // already existing features
1044 result = add_api_feature(APP_TYPE_OSP,"http://tizen.org/privilege/messaging.read" , NULL, NULL, 0);
1045 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1047 result = add_api_feature(APP_TYPE_WGT,"http://tizen.org/privilege/messaging.sms" , NULL, NULL, 0);
1048 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1050 result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/privilege/messaging" , NULL, NULL, 0);
1051 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1053 result = add_api_feature(APP_TYPE_OTHER,"http://tizen.org/messaging" , NULL, NULL, 0);
1054 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1056 result = add_api_feature(APP_TYPE_OTHER,"http://messaging" , NULL, NULL, 0);
1057 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1059 result = add_api_feature(APP_TYPE_OTHER,"messaging.read" , NULL, NULL, 0);
1060 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1064 result = add_api_feature(APP_TYPE_OSP,"blahblah" , NULL, NULL, 0);
1065 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1067 result = add_api_feature(APP_TYPE_WGT,"blahblah" , NULL, NULL, 0);
1068 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1070 result = add_api_feature(APP_TYPE_OTHER,"blahblah" , NULL, NULL, 0);
1071 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1074 // smack files existence
1075 result = file_exists(OSP_BLAHBLAH);
1076 RUNNER_ASSERT(result == -1);
1078 result = file_exists(WRT_BLAHBLAH);
1079 RUNNER_ASSERT(result == -1);
1081 result = file_exists(OTHER_BLAHBLAH);
1082 RUNNER_ASSERT(result == -1);
1086 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , { NULL }, NULL, 0);
1087 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1088 result = file_exists(OSP_BLAHBLAH);
1089 RUNNER_ASSERT(result == -1);
1091 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "", NULL }, NULL, 0);
1092 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1093 result = file_exists(OSP_BLAHBLAH);
1094 RUNNER_ASSERT(result == 0);
1095 remove_smack_files();
1097 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ " \t\n", "\t \n", "\n\t ", NULL }, NULL, 0);
1098 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1099 result = file_exists(OSP_BLAHBLAH);
1100 RUNNER_ASSERT(result == 0);
1101 remove_smack_files();
1105 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed", NULL }, NULL, 0);
1106 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1107 result = file_exists(OSP_BLAHBLAH);
1108 RUNNER_ASSERT(result == -1);
1110 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed", NULL }, NULL, 0);
1111 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1112 result = file_exists(OSP_BLAHBLAH);
1113 RUNNER_ASSERT(result == -1);
1115 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "-malformed malformed rwxat", NULL }, NULL, 0);
1116 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1117 result = file_exists(OSP_BLAHBLAH);
1118 RUNNER_ASSERT(result == -1);
1120 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "~/\"\\ malformed rwxat", NULL }, NULL, 0);
1121 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1122 result = file_exists(OSP_BLAHBLAH);
1123 RUNNER_ASSERT(result == -1);
1125 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object rwxat something else", NULL }, NULL, 0);
1126 RUNNER_ASSERT(result == PC_ERR_INVALID_PARAM);
1127 result = file_exists(OSP_BLAHBLAH);
1128 RUNNER_ASSERT(result == -1);
1132 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "malformed malformed maaaaaalformed", NULL }, NULL, 0);
1133 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1134 osp_blahblah_check(__LINE__, { "malformed malformed r--a-" });
1135 remove_smack_files();
1137 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){ "subject object foo", NULL }, NULL, 0);
1138 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1139 osp_blahblah_check(__LINE__, { "subject object -----" });
1140 remove_smack_files();
1142 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1143 "subject object\t rwxat",
1145 "subject2\tobject2 txarw",
1148 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1149 osp_blahblah_check(__LINE__, { "subject object rwxat", "subject2 object2 rwxat"});
1150 remove_smack_files();
1152 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1153 "Sub::jE,ct object a-RwX",
1155 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1156 osp_blahblah_check(__LINE__, { "Sub::jE,ct object rwxa-"});
1157 remove_smack_files();
1159 // TODO For now identical/complementary rules are not merged.
1160 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){
1161 "subject object rwxat",
1163 "subject object txarw",
1166 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1167 osp_blahblah_check(__LINE__, { "subject object rwxat", "subject object rwxat"});
1168 remove_smack_files();
1172 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},0);
1173 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1174 osp_blahblah_check(__LINE__, { "a a ---a-"});
1175 result = file_exists(OSP_BLAHBLAH_DAC);
1176 RUNNER_ASSERT(result == -1);
1177 remove_smack_files();
1181 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},3);
1182 printf("%d \n", result);
1183 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1184 osp_blahblah_check(__LINE__, { "a a ---a-"});
1185 osp_blahblah_dac_check(__LINE__, {0,1,2});
1186 remove_smack_files();
1188 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){0,1,2},1);
1189 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1190 osp_blahblah_check(__LINE__, { "a a ---a-"});
1191 osp_blahblah_dac_check(__LINE__, {0});
1192 remove_smack_files();
1194 result = add_api_feature(APP_TYPE_OSP, BLAHBLAH_FEATURE , (const char*[]){"a a a",NULL},(const gid_t[]){1,1,1},3);
1195 RUNNER_ASSERT(result == PC_OPERATION_SUCCESS);
1196 osp_blahblah_check(__LINE__, { "a a ---a-"});
1197 osp_blahblah_dac_check(__LINE__, {1,1,1});
1198 remove_smack_files();
1202 * Check app_install function
1204 RUNNER_TEST(privilege_control01_app_install)
1210 unlink(SMACK_RULES_DIR APP_ID);
1212 app_uninstall(APP_ID);
1214 result = app_install(APP_ID);
1215 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1217 // checking if file really exists
1218 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1219 RUNNER_ASSERT_MSG(fd >= 0, "File open failed: " << path << " : " << result << ". Errno: " << strerror(errno));
1223 // try install second time app with the same ID - it should pass.
1224 result = app_install(APP_ID);
1225 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1229 * Check app_install function
1231 RUNNER_TEST(privilege_control07_app_uninstall)
1237 result = app_uninstall(APP_ID);
1238 RUNNER_ASSERT_MSG(result == 0, "app_uninstall returned " << result <<". Errno: " << strerror(errno));
1240 // checking if file really exists
1241 fd = open(SMACK_RULES_DIR APP_ID, O_RDONLY);
1242 RUNNER_ASSERT_MSG(fd == -1, "SMACK file NOT deleted after app_uninstall");
1247 void checkOnlyAvAccess(const char* av_id, const char* app_id, const char* comment){
1249 result = smack_have_access(av_id, app_id, "rwx");
1250 RUNNER_ASSERT_MSG(result == 1,
1251 "Error while checking " << av_id << " rwx access to "
1252 << app_id << " " << comment << " Result: " << result);
1253 result = smack_have_access(av_id, app_id, "a");
1254 RUNNER_ASSERT_MSG(result == 0,
1255 "Error while checking " << av_id << " a access to "
1256 << app_id << " " << comment << " Result: " << result);
1257 result = smack_have_access(av_id, app_id, "t");
1258 RUNNER_ASSERT_MSG(result == 0,
1259 "Error while checking " << av_id << " t access to "
1260 << app_id << " " << comment << " Result: " << result);
1264 * Check app_register_av function
1265 * Notice that this test case may have no sense if previous would fail (privilege_control06_app_install)
1267 RUNNER_TEST(privilege_control10_app_register_av)
1272 smack_revoke_subject(APP_TEST_AV_1);
1273 smack_revoke_subject(APP_TEST_AV_2);
1275 cleaning_smack_app_files();
1276 cleaning_smack_database_files();
1278 // Adding two apps before antivir
1279 result = app_install(APP_TEST_APP_1);
1280 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1282 result = app_install(APP_TEST_APP_2);
1283 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1286 result = app_register_av(APP_TEST_AV_1);
1287 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
1289 // Checking added apps accesses
1290 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_1)");
1291 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_1)");
1294 result = app_install(APP_TEST_APP_3);
1295 RUNNER_ASSERT_MSG(result == 0, "app_install returned " << result <<". Errno: " << strerror(errno));
1297 // Checking app accesses
1298 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_install(APP_TEST_APP_3)");
1299 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_install(APP_TEST_APP_3)");
1300 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_install(APP_TEST_APP_3)");
1302 // Adding second antivir
1303 result = app_register_av(APP_TEST_AV_2);
1304 RUNNER_ASSERT_MSG(result == 0, "app_register_av returned " << result <<". Errno: " << strerror(errno));
1306 // Checking app accesses
1307 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1308 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1309 checkOnlyAvAccess(APP_TEST_AV_1, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1310 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_1, "app_register_av(APP_TEST_AV_2)");
1311 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_2, "app_register_av(APP_TEST_AV_2)");
1312 checkOnlyAvAccess(APP_TEST_AV_2, APP_TEST_APP_3, "app_register_av(APP_TEST_AV_2)");
1315 smack_revoke_subject(APP_TEST_AV_1);
1316 smack_revoke_subject(APP_TEST_AV_2);
1318 cleaning_smack_app_files();
1319 cleaning_smack_database_files();
1323 * Grant SMACK permissions based on permissions list.
1325 RUNNER_TEST(privilege_control11_app_enable_permissions)
1328 int smack_file_length;
1332 * Test - Enabling all permissions with persistant mode enabled
1335 result = app_revoke_permissions(APP_ID);
1336 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1337 "Error revoking app permissions. Result: " << result);
1339 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1340 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1341 " Error enabling app permissions. Result: " << result);
1343 // Check if the accesses are realy applied..
1344 result = test_have_all_accesses(rules2);
1345 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1348 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1349 RUNNER_ASSERT_MSG(pFile != NULL,
1350 "SMACK file NOT created!. Errno: " << errno);
1353 fseek(pFile, 0L, SEEK_END);
1354 smack_file_length = ftell(pFile);
1355 RUNNER_ASSERT_MSG(smack_file_length>0,
1356 "SMACK file empty with persistant mode 1. Errno: " << errno);
1362 result = app_revoke_permissions(APP_ID);
1363 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1364 "Error revoking app permissions. Result: " << result);
1367 * Test - Enabling all permissions with persistant mode disabled
1370 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 0);
1371 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1372 " Error enabling app permissions. Result: " << result);
1374 // Check if the accesses are realy applied..
1375 result = test_have_all_accesses(rules2);
1376 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1379 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1380 RUNNER_ASSERT_MSG(pFile != NULL,
1381 "SMACK file NOT created!. Errno: " << errno);
1384 fseek(pFile, 0L, SEEK_END);
1385 smack_file_length = ftell(pFile);
1386 RUNNER_ASSERT_MSG(smack_file_length==0,
1387 "SMACK file not empty with persistant mode 0. Errno: " << errno);
1393 result = app_revoke_permissions(APP_ID);
1394 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1395 "Error revoking app permissions. Result: " << result);
1398 * Test - Enabling all permissions in two complementary files
1401 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R_AND_NO_R, 1);
1402 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1403 " Error enabling app permissions. Result: " << result);
1405 // Check if the accesses are realy applied..
1406 result = test_have_all_accesses(rules2);
1407 RUNNER_ASSERT_MSG(result==1, "Permissions not added.");
1410 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1411 RUNNER_ASSERT_MSG(pFile != NULL,
1412 "SMACK file NOT created!. Errno: " << errno);
1415 fseek(pFile, 0L, SEEK_END);
1416 smack_file_length = ftell(pFile);
1417 RUNNER_ASSERT_MSG(smack_file_length>0,
1418 "SMACK file empty with persistant mode 1. Errno: " << errno);
1424 result = app_revoke_permissions(APP_ID);
1425 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1426 "Error revoking app permissions. Result: " << result);
1429 * Test - Enabling some permissions and then enabling complementary permissions
1432 // Enable permission for rules 2 no r
1433 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1434 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1435 " Error enabling app permissions without r. Result: " << result);
1437 // Check if the accesses are realy applied..
1438 result = test_have_all_accesses(rules2_no_r);
1439 RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
1442 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1443 RUNNER_ASSERT_MSG(pFile != NULL,
1444 "SMACK file NOT created!. Errno: " << errno);
1447 fseek(pFile, 0L, SEEK_END);
1448 smack_file_length = ftell(pFile);
1449 RUNNER_ASSERT_MSG(smack_file_length>0,
1450 "SMACK file empty with persistant mode 1. Errno: " << errno);
1455 // Enable permission for rules 2
1456 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1457 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1458 " Error enabling app all permissions. Result: " << result);
1460 // Check if the accesses are realy applied..
1461 result = test_have_all_accesses(rules2);
1462 RUNNER_ASSERT_MSG(result==1, "Permissions all not added.");
1465 result = app_revoke_permissions(APP_ID);
1466 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1467 "Error revoking app permissions. Result: " << result);
1470 * Test - Enabling some permissions and then enabling all permissions
1473 // Enable permission for rules 2 no r
1474 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1475 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1476 " Error enabling app permissions without r. Result: " << result);
1478 // Check if the accesses are realy applied..
1479 result = test_have_all_accesses(rules2_no_r);
1480 RUNNER_ASSERT_MSG(result==1, "Permissions without r not added.");
1483 pFile = fopen(SMACK_RULES_DIR APP_ID, "rb");
1484 RUNNER_ASSERT_MSG(pFile != NULL,
1485 "SMACK file NOT created!. Errno: " << errno);
1488 fseek(pFile, 0L, SEEK_END);
1489 smack_file_length = ftell(pFile);
1490 RUNNER_ASSERT_MSG(smack_file_length>0,
1491 "SMACK file empty with persistant mode 1. Errno: " << errno);
1496 // Enable permission for rules 2
1497 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_R, 1);
1498 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1499 " Error enabling app permissions with only r. Result: " << result);
1501 // Check if the accesses are realy applied..
1502 result = test_have_all_accesses(rules2);
1503 RUNNER_ASSERT_MSG(result==1, "Permissions with only r not added.");
1506 result = app_revoke_permissions(APP_ID);
1507 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1508 "Error revoking app permissions. Result: " << result);
1512 * Remove previously granted SMACK permissions based on permissions list.
1514 RUNNER_TEST(privilege_control12_app_disable_permissions)
1518 * Test - disable all granted permissions.
1522 // Prepare permissions that we want to disable
1523 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1524 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1525 " Error enabling app permissions. Result: " << result);
1527 // Disable permissions
1528 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1529 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1530 "Error disabling app permissions. Result: " << result);
1532 // Are all the permissions disabled?
1533 result = test_have_any_accesses(rules2);
1534 RUNNER_ASSERT_MSG(result!=1, "Not all permisions disabled.");
1537 * Test - disable some granted permissions leaving non complementary and then disabling those too.
1540 // Prepare permissions that will not be disabled
1541 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS, 1);
1542 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1543 " Error adding app first permissions. Result: " << result);
1545 // Prepare permissions that we want to disable
1546 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1547 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1548 " Error adding app second permissions. Result: " << result);
1550 // Disable second permissions
1551 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1552 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1553 "Error disabling app second permissions. Result: " << result);
1555 // Are all second permissions disabled?
1556 result = test_have_any_accesses(rules2);
1557 RUNNER_ASSERT_MSG(result!=1, "Not all first permisions disabled.");
1559 // Are all first permissions not disabled?
1560 result = test_have_all_accesses(rules);
1561 RUNNER_ASSERT_MSG(result==1, "Some of second permissions disabled.");
1563 // Disable first permissions
1564 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS);
1565 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1566 "Error disabling app first permissions. Result: " << result);
1568 // Are all second permissions disabled?
1569 result = test_have_any_accesses(rules);
1570 RUNNER_ASSERT_MSG(result!=1, "Not all second permisions disabled.");
1573 * Test - disable only no r granted permissions.
1576 // Prepare permissions
1577 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1578 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1579 " Error adding app permissions. Result: " << result);
1581 // Disable same permissions without r
1582 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R);
1583 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1584 "Error disabling app no r permissions. Result: " << result);
1586 // Is any r permissions disabled?
1587 result = test_have_all_accesses(rules2_r);
1588 RUNNER_ASSERT_MSG(result==1, "Some of r permissions disabled.");
1589 // Are all no r permissions disabled?
1590 result = test_have_any_accesses(rules2_no_r);
1591 RUNNER_ASSERT_MSG(result!=1, "Not all no r permissions disabled.");
1593 // Prepare permissions
1594 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2_NO_R, 1);
1595 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1596 " Error adding app no r permissions. Result: " << result);
1598 // Disable all permissions
1599 result = app_disable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2);
1600 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1601 "Error disabling app permissions. Result: " << result);
1605 * Reset SMACK permissions for an application by revoking all previously
1606 * granted rules and enabling them again from a rules file from disk.
1609 RUNNER_TEST(privilege_control13_app_reset_permissions)
1615 * Test - doing reset and checking if rules exist again.
1618 // Prepare permissions to reset
1619 result = app_enable_permissions(APP_ID, APP_TYPE_OTHER, PRIVS2, 1);
1620 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1621 " Error adding app permissions. Result: " << result);
1623 // Reset permissions
1624 result = app_reset_permissions(APP_ID);
1625 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1626 "Error reseting app permissions. Result: " << result);
1628 // Are all second permissions not disabled?
1629 result = test_have_all_accesses(rules2);
1630 RUNNER_ASSERT_MSG(result==1, "Not all permissions added.");
1632 // Disable permissions
1633 result = app_revoke_permissions(APP_ID);
1634 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1635 "Error disabling app permissions. Result: " << result);
1640 * Make two applications "friends", by giving them both full permissions on
1643 RUNNER_TEST(privilege_control14_app_add_friend)
1648 * Test - making friends with no permissions on each other
1651 result = app_revoke_permissions(APP_FRIEND_1);
1652 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1653 "Error revoking app permissions. Result: " << result);
1654 result = app_revoke_permissions(APP_FRIEND_2);
1655 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1656 "Error revoking app permissions. Result: " << result);
1658 app_uninstall(APP_FRIEND_1);
1659 app_uninstall(APP_FRIEND_2);
1661 // Installing friends to be
1662 result = app_install(APP_FRIEND_1);
1663 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1664 " Error installing first app. Result: " << result);
1665 result = app_install(APP_FRIEND_2);
1666 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1667 " Error installing second app. Result: " << result);
1670 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1671 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1672 " Error making friends. Errno: " << result);
1674 // Checking if friends were made
1675 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1676 RUNNER_ASSERT_MSG(result == 1,
1677 " Error first one sided friednship failed. Result: " << result);
1678 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1679 RUNNER_ASSERT_MSG(result == 1,
1680 " Error second one sided friednship failed. Result: " << result);
1683 result = app_revoke_permissions(APP_FRIEND_1);
1684 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1685 "Error revoking app permissions. Result: " << result);
1686 result = app_revoke_permissions(APP_FRIEND_2);
1687 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1688 "Error revoking app permissions. Result: " << result);
1690 app_uninstall(APP_FRIEND_1);
1691 app_uninstall(APP_FRIEND_2);
1694 * Test - making friends with nonexisting friend
1697 // Installing one friend
1698 result = app_install(APP_FRIEND_1);
1699 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1700 " Error installing first app. Errno: " << result);
1702 // Adding imaginairy friend as second
1703 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1704 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1705 " Error making friends (first) with imaginairy friend failed. Result: "
1707 // Adding imaginairy friend as first
1708 result = app_add_friend(APP_FRIEND_2, APP_FRIEND_1);
1709 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1710 " Error making friends (second) with imaginairy friend failed. Result: "
1713 result = app_revoke_permissions(APP_FRIEND_1);
1714 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1715 "Error revoking app permissions. Result: " << result);
1716 result = app_revoke_permissions(APP_FRIEND_2);
1717 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1718 "Error revoking app permissions. Result: " << result);
1720 app_uninstall(APP_FRIEND_1);
1721 app_uninstall(APP_FRIEND_2);
1724 * Test - making friends with some permissions already added
1729 struct smack_accesses * rulesFriend = NULL;
1731 std::vector<std::string> accessesFriend =
1732 { "r", "w", "x", "rw", "rx", "wx", "rwx", "rwxat" };
1734 // Installing friends to be
1735 result = app_install(APP_FRIEND_1);
1736 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1737 " Error installing first app. Result: " << result);
1738 result = app_install(APP_FRIEND_2);
1739 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1740 " Error installing second app. Result: " << result);
1742 for(i = 0; i<accessesFriend.size(); ++i)
1744 for(j = 0; j<accessesFriend.size(); ++j)
1747 // Adding rules before making friends
1748 result = smack_accesses_new(&rulesFriend);
1749 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1750 "Error in smack_accesses_new. Result: " << result);
1752 result = smack_accesses_add(rulesFriend,
1753 APP_FRIEND_1, APP_FRIEND_2, accessesFriend[i].c_str());
1754 RUNNER_ASSERT_MSG(result == 0,
1755 "Unable to add modify rulesFirend (first). Result: " << result);
1756 result = smack_accesses_add(rulesFriend, APP_FRIEND_2,
1757 APP_FRIEND_1, accessesFriend[j].c_str());
1758 RUNNER_ASSERT_MSG(result == 0,
1759 "Unable to add modify rulesFirend (second). Result: " << result);
1761 result = smack_accesses_apply(rulesFriend);
1762 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1763 "Error in smack_accesses_apply. Result: " << result);
1766 result = app_add_friend(APP_FRIEND_1, APP_FRIEND_2);
1767 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1768 " Error making friends. Result: " << result);
1770 // Checking if friends were made
1771 result = smack_have_access(APP_FRIEND_1, APP_FRIEND_2, "wrxat");
1772 RUNNER_ASSERT_MSG(result == 1,
1773 " Error first one sided friednship failed. Result: " << result);
1774 result = smack_have_access(APP_FRIEND_2, APP_FRIEND_1, "wrxat");
1775 RUNNER_ASSERT_MSG(result == 1,
1776 " Error second one sided friednship failed. Result: " << result);
1778 // Deleting all rules between friends
1779 smack_accesses_add_modify(rulesFriend,
1780 APP_FRIEND_1, APP_FRIEND_2,"","rwxat");
1781 smack_accesses_add_modify(rulesFriend,
1782 APP_FRIEND_2, APP_FRIEND_1,"","rwxat");
1784 result = smack_accesses_apply(rulesFriend);
1786 smack_accesses_free(rulesFriend);
1793 result = app_revoke_permissions(APP_FRIEND_1);
1794 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1795 "Error revoking app permissions. Result: " << result);
1796 result = app_revoke_permissions(APP_FRIEND_2);
1797 RUNNER_ASSERT_MSG(result == PC_OPERATION_SUCCESS,
1798 "Error revoking app permissions. Result: " << result);
1800 app_uninstall(APP_FRIEND_1);
1801 app_uninstall(APP_FRIEND_2);
1804 static void smack_set_random_label_based_on_pid_on_self(void)
1807 std::stringstream ss;
1809 ss << "s-" << getpid() << "-" << getppid();
1810 result = smack_set_label_for_self(ss.str().c_str());
1811 RUNNER_ASSERT_MSG(result == 0, "smack_set_label_for_self("
1812 << ss.str().c_str() << ") failed");
1815 static void smack_unix_sock_server(int sock)
1821 fd = accept(sock, NULL, NULL);
1825 result = smack_new_label_from_self(&smack_label);
1830 RUNNER_ASSERT_MSG(0, "smack_new_label_from_self() failed");
1832 result = write(fd, smack_label, strlen(smack_label));
1833 if(result != (int)strlen(smack_label)){
1837 RUNNER_ASSERT_MSG(0, "write() failed: " << strerror(errno));
1843 RUNNER_TEST(privilege_control15_app_id_from_socket)
1846 struct sockaddr_un sockaddr = {AF_UNIX, SOCK_PATH};
1850 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1852 smack_set_random_label_based_on_pid_on_self();
1854 if (!pid) { /* child process, server */
1857 /* Set the process label before creating a socket */
1858 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1859 RUNNER_ASSERT_MSG(sock >= 0, "socket failed: " << strerror(errno));
1861 (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
1864 RUNNER_ASSERT_MSG(0, "bind failed: " << strerror(errno));
1866 result = listen(sock, 1);
1869 RUNNER_ASSERT_MSG(0, "listen failed: " << strerror(errno));
1871 smack_unix_sock_server(sock);
1873 /* Change the process label with listening socket */
1874 smack_unix_sock_server(sock);
1877 RUNNER_ASSERT_MSG(pid >= 0, "Fork failed");
1878 /* Now running two concurrent servers.
1879 Test if socket label was unaffected by fork() */
1880 smack_unix_sock_server(sock);
1881 /* Let's give the two servers different labels */
1882 smack_unix_sock_server(sock);
1884 waitpid(pid, NULL, 0);
1886 } else { /* parent process, client */
1887 sleep(1); /* Give server some time to setup listening socket */
1889 for (i = 0; i < 4; ++i) {
1892 char smack_label1[SMACK_LABEL_LEN + 1];
1895 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1896 RUNNER_ASSERT_MSG(sock >= 0,
1897 "socket failed: " << strerror(errno));
1898 result = connect(sock,
1899 (struct sockaddr *) &sockaddr, sizeof(struct sockaddr_un));
1902 RUNNER_ASSERT_MSG(0, "connect failed: " << strerror(errno));
1906 result = read(sock, smack_label1, SMACK_LABEL_LEN);
1910 RUNNER_ASSERT_MSG(0, "read failed: " << strerror(errno));
1912 smack_label1[result] = '\0';
1913 smack_label2 = app_id_from_socket(sock);
1914 if(smack_label2 == NULL){
1916 RUNNER_ASSERT_MSG(0, "app_id_from_socket failed");
1918 result = strcmp(smack_label1, smack_label2);
1921 RUNNER_ASSERT_MSG(0, "smack labels differ: '" << smack_label1
1922 << "' != '" << smack_label2 << "-" << random() << "'");
1926 waitpid(pid, NULL, 0);
1930 RUNNER_TEST(privilege_control16_app_setup_path){
1931 const char *path1 = "/usr/share/privilege-control/app_setup_access_test";
1932 const char *path2 = "/usr/share/privilege-control/app_setup_access_test/directory";
1933 const char *path3 = "/usr/share/privilege-control/app_setup_access_test/one";
1934 const char *path4 = "/usr/share/privilege-control/app_setup_access_test/directory/two";
1935 const char *label1 = "qwert123456za";
1936 const char *label2 = "trewq654123az";
1938 std::unique_ptr<char, std::function<void(void*)>> labelPtr(NULL,free);
1943 int fd = creat(path3, S_IRWXU);
1946 fd = creat(path4, S_IRWXU);
1952 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label1));
1953 RUNNER_ASSERT(0 == smack_lgetlabel(path3, &label, SMACK_LABEL_ACCESS));
1954 labelPtr.reset(label);
1956 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label1));
1958 RUNNER_ASSERT(PC_OPERATION_SUCCESS == app_setup_path("somepackageid", path1, APP_PATH_ANY_LABEL, label2));
1959 RUNNER_ASSERT(0 == smack_lgetlabel(path4, &label, SMACK_LABEL_EXEC));
1960 labelPtr.reset(label);
1962 RUNNER_ASSERT(0 == strcmp(labelPtr.get(), label2));
1964 RUNNER_ASSERT(0 == smack_lgetlabel(path1, &label, SMACK_LABEL_EXEC));
1965 labelPtr.reset(label);
1967 RUNNER_ASSERT(labelPtr.get() == NULL);